這是用戶在 2025-4-15 24:37 為 https://app.immersivetranslate.com/pdf-pro/11d3e744-e97a-4615-a5c7-e9b9f34aa0b6 保存的雙語快照頁面,由 沉浸式翻譯 提供雙語支持。了解如何保存?
Review  回顧

A Comprehensive Survey of Distributed Denial of Service Detection and Mitigation Technologies in Software-Defined Network
軟體定義網路中分散式拒絕服務偵測與緩解技術的全面調查

Yinghao Su 1 , ( D 1 , ( D ^(1,**(D){ }^{1, *(\mathbb{D}}, Dapeng Xiong 2 2 ^(2){ }^{2}, Kechang Qian 2 2 ^(2){ }^{2} and Yu Wang 2 2 ^(2){ }^{2}
Yinghao Su 1 , ( D 1 , ( D ^(1,**(D){ }^{1, *(\mathbb{D}} 、Dapeng Xiong 2 2 ^(2){ }^{2} 、Kechang Qian 2 2 ^(2){ }^{2} 和 Yu Wang 2 2 ^(2){ }^{2}
1 Institute of Graduate, Space Engineering University, Beijing 101416, China
1 中國北京空間工程大學研究生院,北京 101416
2 Institute of Aerospace Information, Space Engineering University, Beijing 101416, China
2 空間工程大學航天信息研究所,中國北京 101416
* Correspondence: hgdyinghao@ldy.edu.rs
* 通信:hgdyinghao@ldy.edu.rs

Citation: Su, Y.; Xiong, D.; Qian, K.; Wang, Y. A Comprehensive Survey of Distributed Denial of Service Detection and Mitigation Technologies in Software-Defined Network. Electronics 2024, 13, 807. https:/ /doi.org/10.3390/ electronics13040807
引用:Su, Y.; Xiong, D.; Qian, K.; Wang, Y. A Comprehensive Survey of Distributed Denial of Service Detection and Mitigation Technologies in Software-Defined Network.https:/ /doi.org/10.3390/ electronics13040807
Academic Editors: Xiang Su, Liang Xiao, Nan Qi, Rugui Yao and Lin Zhang
學術編輯:蘇翔、肖亮、亓楠、姚如桂、張琳
Received: 31 December 2023
收到:2023 年 12 月 31 日

Revised: 29 January 2024
修訂日期:2024 年 1 月 29 日

Accepted: 8 February 2024
接受:2024 年 2 月 8 日

Published: 19 February 2024
發佈日期:2024 年 2 月 19 日

Copyright: © 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:/ / creativecommons.org/licenses/by/ 4.0/).
版權所有:© 2024 作者。授權方 MDPI,瑞士巴塞爾。本文為開放存取文章,依據創用 CC 姓名標示 (CC BY) 授權條款 (https:/ / creativecommons.org/licenses/by/ 4.0/) 發佈。

Abstract  摘要

The widespread adoption of software-defined networking (SDN) technology has brought revolutionary changes to network control and management. Compared to traditional networks, SDN enhances security by separating the control plane from the data plane and replacing the traditional network architecture with a more flexible one. However, due to its inherent architectural flaws, SDN still faces new security threats. This paper expounds on the architecture and security of SDN, analyzes the vulnerabilities of SDN architecture, and introduces common distributed denial of service (DDoS) attacks within the SDN architecture. This article also provides a review of the relevant literature on DDoS attack detection and mitigation in the current SDN environment based on the technologies used, including statistical analysis, machine learning, policy-based, and moving target defense techniques. The advantages and disadvantages of these technologies, in terms of deployment difficulty, accuracy, and other factors, are analyzed. Finally, this study summarizes the SDN experimental environment and DDoS attack traffic generators and datasets of the reviewed literature and the limitations of current defense methods and suggests potential future research directions.
軟體定義網路(SDN)技術的廣泛應用為網路控制和管理帶來了革命性的變化。相較於傳統網路,SDN 將控制平面與資料平面分離,以更具彈性的網路架構取代傳統網路架構,進而增強安全性。然而,由於其固有的架構缺陷,SDN 仍然面臨新的安全威脅。本文闡述 SDN 的架構與安全性,分析 SDN 架構的弱點,並介紹 SDN 架構中常見的分散式拒絕服務 (DDoS) 攻擊。本文也針對目前 SDN 環境下 DDoS 攻擊偵測與減緩的相關文獻,依據所使用的技術,包括統計分析、機器學習、政策式、移動目標防禦技術等進行檢討。並分析這些技術在部署難度、準確性等方面的優缺點。最後,本研究總結了 SDN 實驗環境與 DDoS 攻擊流量產生器及已檢閱文獻的資料集,以及目前防禦方法的限制,並提出未來可能的研究方向。

Keywords: software-defined network; distributed denial of service attacks; intrusion detection; network security
關鍵字:軟體定義網路;分散式拒絕服務攻擊;入侵偵測;網路安全

1. Introduction  1.簡介

With the increasing complexity of computer networks, traditional network architectures are finding it difficult to meet the requirements of current cloud computing, the mobile Internet, and other aspects for diversified and scalable network services. This is due to their fixed form and tight coupling of control and data-forwarding functions [1]. SDN, proposed in this context, is a new type of network architecture that separates the network control function from the data forwarding function, providing greater flexibility and programmability compared to traditional networks. Although SDN architecture achieves centralized network control and on-demand traffic forwarding, it still has significant security vulnerabilities and is more susceptible to security threats. Among them, denial-of-service attacks that disrupt the availability of SDN are a common attack method [2].
隨著電腦網路的日益複雜,傳統的網路架構已經很難滿足當前雲端運算、行動網際網路等各方面對網路服務多元化、可擴展性的要求。這是由於其固定的形式以及控制和資料轉發功能的緊耦合所造成的[1]。在此背景下提出的 SDN 是一種新型的網路架構,它將網路控制功能與資料轉發功能分離,相較於傳統網路提供了更大的靈活性與可程式化性。雖然 SDN 架構達到集中式網路控制與隨選式流量轉送,但仍有顯著的安全漏洞,較容易受到安全威脅。其中,阻斷 SDN 可用性的拒絕服務攻擊是常見的攻擊方式[2]。
A denial of service attack is when an attacker sends malicious traffic to computer network hosts, depleting the network’s limited resources and disrupting its availability, rendering it incapable of providing regular services. When attackers control a large number of hosts to launch a DoS attack, it becomes a distributed denial of service attack. DoS attacks exploit vulnerabilities in network protocols and the limited nature of network resources by sending a large number of invalid data packets. This consumes the network’s bandwidth, connection, and service resources, ultimately preventing authorized users from accessing the network. Currently, DoS attacks have become a significant method of cyber warfare [3]. In the Russia-Ukraine conflict, Russia launched DDoS attacks against multiple military, government, and financial websites in Ukraine. These attacks caused several
拒絕服務攻擊是指攻擊者向電腦網路主機傳送惡意流量,耗盡網路的有限資源並中斷其可用性,使其無法提供正常服務。當攻擊者控制大量主機發動 DoS 攻擊時,就成為分散式拒絕服務攻擊。DoS 攻擊利用網路通訊協定的漏洞和網路資源的有限性,傳送大量無效的資料封包。這會消耗網路的頻寬、連線和服務資源,最終導致授權使用者無法存取網路。目前,DoS 攻擊已成為網路戰的重要方法[3]。在俄烏衝突中,俄羅斯對烏克蘭的多個軍事、政府和金融網站發動了 DDoS 攻擊。這些攻擊造成數個

critical infrastructures and important network systems to collapse, significantly impacting Ukraine’s social order. Therefore, effectively preventing and mitigating network DDoS attacks has become an urgent problem that needs to be addressed.
重要基礎設施和重要網路系統崩潰,嚴重衝擊烏克蘭的社會秩序。因此,有效預防和緩解網路 DDoS 攻擊已成為亟待解決的問題。
While SDN offers benefits such as agility, flexibility, and programmability, it remains susceptible to DDoS attacks. Due to centralized management in the SDN architecture, DDoS attacks can easily overwhelm SDN controllers and switch flow tables, resulting in significant network performance degradation. Currently, numerous research topics focus on DDoS attack detection and mitigation technology in traditional networks. However, many of these solutions are not applicable to SDN controllers. At the same time, it is challenging to effectively detect new DDoS attacks in SDN environments. Hence, it is essential to systematically review the relevant literature on DDoS attack detection and mitigation technology in SDN environments.
雖然 SDN 具備敏捷性、彈性和可程式化等優點,但仍容易受到 DDoS 攻擊。由於 SDN 架構採用集中式管理,DDoS 攻擊很容易攻陷 SDN 控制器和交換器流量表,導致網路效能大幅下降。目前,許多研究主題都著重於傳統網路中的 DDoS 攻擊偵測與緩解技術。然而,其中許多解決方案並不適用於 SDN 控制器。同時,在 SDN 環境中有效偵測新的 DDoS 攻擊也是一大挑戰。因此,有系統地檢視 SDN 環境中 DDoS 攻擊偵測與緩解技術的相關文獻是非常必要的。
Many survey papers on DDoS DDoS DDoS\operatorname{DDoS} defense solutions are available in the literature, which is closely related to our work. In previous literature reviews, Mittal et al. [4] and Ali et al. [5] focused solely on examining DDoS attack defense strategies from a single technical standpoint. Karnani et al. [6] conducted a review specifically on mitigation strategies. While Ubale et al. [3] and Kaur et al. [7] provided comprehensive overviews of DDoS attack detection and mitigation technologies; however, these articles fail to include a summary of the existing literature on moving target defense technology utilizing the SDN network architecture. This article presents a comprehensive analysis of the current literature on the detection and mitigation of DDoS DDoS DDoS\operatorname{DDoS} attacks in SDN. We categorize and examine the various technical approaches employed in this field, with a particular focus on moving target defense technology mitigation strategies, which have received limited attention in previous reviews. In addition, we also classified the reviewed literature according to the experimental environment used and summarized the existing technical issues and challenges faced in current research. Table 1 shows a comparison of the proposed study with existing survey papers in recent years.
文獻中有許多關於 DDoS DDoS DDoS\operatorname{DDoS} 防禦解決方案的調查論文,這與我們的工作密切相關。在先前的文獻回顧中,Mittal 等人 [4] 和 Ali 等人 [5] 只專注於從單一技術角度檢視 DDoS 攻擊的防禦策略。Karnani 等人 [6] 則特別針對減緩策略進行檢閱。雖然 Ubale 等人 [3] 和 Kaur 等人 [7] 提供了 DDoS 攻擊偵測與緩解技術的全面概述;然而,這些文章並未包含利用 SDN 網路架構的移動目標防禦技術的現有文獻摘要。本文全面分析了目前有關 SDN 中 DDoS DDoS DDoS\operatorname{DDoS} 攻擊偵測與緩解的文獻。我們將此領域中所採用的各種技術方法進行分類和檢視,並特別針對移動目標防禦技術的緩解策略進行研究,這些策略在之前的評論中受到的關注有限。此外,我們也依據所使用的實驗環境,將已檢閱的文獻進行分類,並總結目前研究中所面臨的既有技術問題與挑戰。表 1 顯示擬議研究與近年來既有調查論文的比較。
Table 1. Comparison of proposed study with the existing studies.
表 1.建議研究與現有研究的比較。
Covered Topic  涵蓋主題 Ref. [3]  參考文獻 [3] Ref. [5]  參考文獻 [5] Ref. [6]  參考文獻 [6] Ref. [7]  參考文獻 [7] Ref. [8]  參考文獻 [8] Our Work  我們的工作
Vulnerable points and DDoS attack types in SDN
SDN 中的弱點與 DDoS 攻擊類型
\checkmark \checkmark \checkmark \checkmark \checkmark \checkmark
DDoS attack detection technology
DDoS 攻擊偵測技術
Statistical analysis and information entropy
統計分析與資訊熵
- - \checkmark \checkmark \checkmark \checkmark
Machine learning  機器學習 \checkmark \checkmark - \checkmark \checkmark \checkmark
Hybrid detection  混合偵測 \checkmark - \checkmark \checkmark sqrt()\sqrt{ }
DDoS attack mitigation techniques
DDoS 攻擊緩解技術
Policy-based techniques  政策型技術 \checkmark - \checkmark \checkmark \checkmark \checkmark
Moving target defense  移動目標防禦 - - sqrt()\sqrt{ } - - sqrt()\sqrt{ }
Experimental environment analysis
實驗環境分析
\checkmark - \checkmark \checkmark \checkmark sqrt()\sqrt{ }
Research challenges and gaps
研究挑戰與差距
\checkmark \checkmark \checkmark \checkmark \checkmark \checkmark
Covered Topic Ref. [3] Ref. [5] Ref. [6] Ref. [7] Ref. [8] Our Work Vulnerable points and DDoS attack types in SDN ✓ ✓ ✓ ✓ ✓ ✓ DDoS attack detection technology Statistical analysis and information entropy - - ✓ ✓ ✓ ✓ Machine learning ✓ ✓ - ✓ ✓ ✓ Hybrid detection ✓ - ✓ ✓ sqrt() DDoS attack mitigation techniques Policy-based techniques ✓ - ✓ ✓ ✓ ✓ Moving target defense - - sqrt() - - sqrt() Experimental environment analysis ✓ - ✓ ✓ ✓ sqrt() Research challenges and gaps ✓ ✓ ✓ ✓ ✓ ✓| Covered Topic | | Ref. [3] | Ref. [5] | Ref. [6] | Ref. [7] | Ref. [8] | Our Work | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | | Vulnerable points and DDoS attack types in SDN | | $\checkmark$ | $\checkmark$ | $\checkmark$ | $\checkmark$ | $\checkmark$ | $\checkmark$ | | DDoS attack detection technology | Statistical analysis and information entropy | - | - | $\checkmark$ | $\checkmark$ | $\checkmark$ | $\checkmark$ | | | Machine learning | $\checkmark$ | $\checkmark$ | - | $\checkmark$ | $\checkmark$ | $\checkmark$ | | | Hybrid detection | | $\checkmark$ | - | $\checkmark$ | $\checkmark$ | $\sqrt{ }$ | | DDoS attack mitigation techniques | Policy-based techniques | $\checkmark$ | - | $\checkmark$ | $\checkmark$ | $\checkmark$ | $\checkmark$ | | | Moving target defense | - | - | $\sqrt{ }$ | - | - | $\sqrt{ }$ | | Experimental environment analysis | | $\checkmark$ | - | $\checkmark$ | $\checkmark$ | $\checkmark$ | $\sqrt{ }$ | | Research challenges and gaps | | $\checkmark$ | $\checkmark$ | $\checkmark$ | $\checkmark$ | $\checkmark$ | $\checkmark$ |
" " "sqrt()" \sqrt{ } ": The paper contains this content. “-”: The paper does not contain this content.
" " "sqrt()" \sqrt{ } ": 論文包含此內容。"-":該論文不包含此內容。
The main contributions of our paper can be summarized as follows:
我們論文的主要貢獻可歸納如下:
  • We provide a description of the security vulnerabilities that exist in SDN as well as the prevalent DDoS attacks that target SDN networks.
    我們說明 SDN 中存在的安全漏洞,以及針對 SDN 網路的普遍 DDoS 攻擊。
  • We conducted a literature review on popular DDoS attack detection and mitigation technologies in SDN and categorized and evaluated them according to the technologies utilized. DDoS attack detection and mitigation technologies in SDN environments encompass statistical analysis techniques, machine learning techniques, hybrid detection techniques, policy-based techniques, and, particularly, moving target defense techniques, which are less commonly discussed in the literature. Furthermore, we conducted a comparative assessment of the benefits and drawbacks linked to these technologies.
    我們針對 SDN 中流行的 DDoS 攻擊偵測與緩解技術進行文獻回顧,並根據所使用的技術進行分類與評估。SDN 環境中的 DDoS 攻擊偵測與減緩技術包含統計分析技術、機器學習技術、混合偵測技術、政策式技術,尤其是文獻中較少討論的移動目標防禦技術。此外,我們對這些技術的優缺點進行了比較評估。
  • Finally, we analyze the experimental environment used in the relevant literature and briefly summarize the research challenges and gaps in DDoS attack defense technology in SDN.
    最後,我們分析相關文獻所使用的實驗環境,並簡要總結 SDN 中 DDoS 攻擊防禦技術的研究挑戰與缺口。
The rest of this paper is structured as follows: Section 2 elaborates on the methods used to search the literature during the research process of this article; Section 3 presents the vulnerable points and DDoS attacks in SDN; Section 4 presents the DDoS attack detection technology in SDN and Section 5 presents the DDoS attack mitigation techniques in SDN. In Section 6, we analyze the experimental part of the collected literature. Section 7 summarizes the research challenges and gaps in existing work. Section 8 concludes our work.
本文其餘部分的結構如下:第 2 小節闡述本文研究過程中搜尋文獻的方法;第 3 小節提出 SDN 的弱點與 DDoS 攻擊;第 4 小節提出 SDN 的 DDoS 攻擊偵測技術;第 5 小節提出 SDN 的 DDoS 攻擊減緩技術。在第 6 節中,我們分析了所收集文獻的實驗部分。第 7 節總結了現有工作中的研究挑戰與差距。第 8 節總結我們的工作。

2. Research Methodology  2.研究方法

Our research primarily focuses on detecting and mitigating DDoS attacks in SDN environments. Through a comprehensive review of the relevant literature, we aim to address the following questions:
我們的研究主要針對 SDN 環境中的 DDoS 攻擊偵測與減緩。透過全面檢閱相關文獻,我們的目標是解決下列問題:
  • RQ 1: What are the weaknesses of SDN compared to traditional networks, and to what DDoS attacks is it more susceptible?
    問題 1:與傳統網路相比,SDN 有哪些弱點,以及它更容易受到哪些 DDoS 攻擊?
  • RQ 2: What technical methods do researchers typically use to detect and mitigate DDoS attacks in SDN environments?
    問題 2:研究人員通常使用哪些技術方法來偵測和緩解 SDN 環境中的 DDoS 攻擊?
  • RQ 3: What are the benefits and drawbacks of current detection and mitigation technologies? What are the current challenges in research?
    問題 3:目前的偵測和緩解技術有哪些優點和缺點?目前的研究挑戰為何?

    To find papers related to the research questions, we followed a three-stage selection procedure: (1) identifying search terms, (2) selecting sources, and (3) applying inclusion/exclusion criteria to the selected papers:
    為了找到與研究問題相關的論文,我們遵循三階段的篩選程序:(1) 確定搜尋詞彙,(2) 選擇資料來源,(3) 對所選的論文應用納入/排除標準:
  • Search terms: This stage primarily determines the keywords to search and search strings. For the research of DDoS attacks on SDN, the identified keywords were as follows: “SDN”, “DDoS”, “Controller Resource Saturation”, and “Flow Table Overloading”. Meanwhile, to define the search string, the Boolean operation “OR” was used to select optional words and synonyms, while “AND” was used to select relevant terms, thereby generating the search string. The following keywords were selected as the search string: “(software-defined network” OR “SDN”) AND (“DDoS” OR “Controller Resource Saturation” OR “Bandwidth Saturation” OR “Flow Table Overloading”)".
    搜尋字串:此階段主要決定搜尋的關鍵字及搜尋字串。針對 SDN 的 DDoS 攻擊研究,確定的關鍵字如下:"SDN」、「DDoS」、「Controller Resource Saturation」、「Flow Table Overloading」。同時,為了定義搜尋字串,使用布林運算「OR」來選擇可選詞和同義詞,而使用「AND」來選擇相關詞彙,進而產生搜尋字串。選取下列關鍵字作為搜尋字串:「(軟體定義網路」 OR "SDN") AND ("DDoS" OR "Controller Resource Saturation" OR "Bandwidth Saturation" OR "Flow Table Overloading")"。
  • Search library: We selected Google scholar, IEEE Xplore, Springer, Science Direct, Wiley, Hindawi, and ACM as the databases to search the literature. At the same time, we also searched the relevant literature on CNKI and selected articles with higher impact factors.
    搜尋資料庫:我們選擇了 Google scholar、IEEE Xplore、Springer、Science Direct、Wiley、Hindawi 和 ACM 等資料庫進行文獻檢索。同時,我們也搜尋了 CNKI 上的相關文獻,並選擇了影響因子較高的文章。
  • Inclusion/exclusion criteria: We further reviewed the literature retrieved from the database and established exclusion criteria to eliminate studies that were not relevant to the defined research question. The exclusion criteria are defined as follows:
    納入/排除標準:我們進一步檢視從資料庫中擷取的文獻,並建立排除標準,以剔除與界定的研究問題無關的研究。排除標準的定義如下:
  • Multiple research studies.
    多項研究調查。
  • Studies that do not provide an equivalent amount of information.
    無法提供等量資訊的研究。
  • The literature without adequate experimental support.
    沒有足夠實驗支持的文獻。
  • Not strongly correlated with SDN.
    與 SDN 關聯性不強。

3. Vulnerable Points and DDoS Attacks in SDN
3.SDN 中的弱點與 DDoS 攻擊

Due to its flexible architecture and non-standardized protocols, SDN has more vulnerabilities in terms of security, leading to a series of new security issues. SDN is not only susceptible to DDoS attacks targeting server devices or services in traditional networks but also to new types of DDoS attacks against switches and controllers, which can cause damage to the network. The security issues and DDoS attacks faced by SDN architecture are shown in Figure 1.
由於 SDN 靈活的架構和非標準化的通訊協定,在安全性方面有較多的弱點,導致一系列新的安全問題。SDN 不僅容易受到傳統網路中針對伺服器設備或服務的 DDoS 攻擊,也容易受到針對交換器和控制器的新型 DDoS 攻擊,對網路造成損害。SDN 架構所面臨的安全問題與 DDoS 攻擊如圖 1 所示。

Figure 1. Security problems and DDoS attacks in the SDN architecture.
圖 1.SDN 架構中的安全問題與 DDoS 攻擊。
  • The security of the data plane. The limited storage space for flow table entries in data plane switches can lead to overload or buffer overflow when attackers send a large amount of traffic, depleting the computing resources of the control plane. There is a vulnerability in the timeout mechanism of the OpenFlow protocol used for communication between the controller and the switch. Flow table entries are not updated in real-time, so when attackers send false flow table entries to the switch, they continue to be stored in the switch, affecting the normal forwarding of related packets and potentially disrupting the network topology [9].
    資料平面的安全性。資料平面交換器的流量表項儲存空間有限,當攻擊者傳送大量流量時,可能導致超載或緩衝記憶體滿溢,耗盡控制平面的運算資源。用於控制器與交換器之間通訊的 OpenFlow 通訊協定的逾時機制存在漏洞。流量表項目並非即時更新,因此當攻擊者傳送虛假流量表項目至交換機時,這些項目仍會繼續儲存於交換機中,影響相關封包的正常轉送,並可能破壞網路拓樸結構 [9]。
  • The security of the control plane. The control plane controller has network control capabilities. When the controller is hijacked, attackers can use it to carry out network eavesdropping, IP address spoofing, and routing modifications, which can compromise the integrity and confidentiality of the network [8]. A hijacked controller can also send false messages to launch DDoS attacks and deplete network resources.
    控制平面的安全性。控制平面控制器具有網路控制能力。當控制器被挾持時,攻擊者可以利用它進行網路竊聽、IP 位址偽造和路由修改,從而危及網路的完整性和機密性 [8]。被騎劫的控制器也可以傳送虛假訊息來發動 DDoS 攻擊,耗盡網路資源。
  • The security of the application plane. The application layer defines the functionality of the network controller. However, due to the absence of strict access control mechanisms, attackers can execute malicious programs on the application layer to gain access to network intelligence or deplete resources. Attackers can also target specific applications in SDN systems by sending resource-intensive requests to consume the network bandwidth and disrupt network availability [10].
    應用層的安全性。應用層定義了網路控制器的功能。然而,由於缺乏嚴格的存取控制機制,攻擊者可以在應用層上執行惡意程式,以獲取網路情報或消耗資源。攻擊者也可以針對 SDN 系統中的特定應用程式,傳送資源密集型的請求,以消耗網路頻寬和破壞網路可用性 [10]。
  • The security of communication and protocols. The OpenFlow protocol used in the southbound interface encrypts data using SSL/TLS for secure communication. However, the OpenFlow 1.3 .0 specification made TLS optional, which means that communication in the southbound interface may not be secure [11]. Therefore, attackers can intercept or tamper with data packets in southbound communication or exploit the interactive nature of the OpenFlow protocol to launch DDoS attacks and deplete network resources. The absence of standardized protocols in the northbound interface makes data transmission vulnerable to eavesdropping, significantly compromising network confidentiality.
    通訊和通訊協定的安全性。南向介面使用的 OpenFlow 通訊協定會使用 SSL/TLS 加密資料,以確保通訊安全。然而,OpenFlow 1.3 .0 規格將 TLS 列為選項,這表示南向介面的通訊可能不安全 [11]。因此,攻擊者可以攔截或篡改南向通訊中的資料封包,或利用 OpenFlow 通訊協定的互動特性發動 DDoS 攻擊,耗盡網路資源。北向介面缺乏標準化通訊協定,使得資料傳輸容易遭到竊聽,嚴重損害網路機密性。

    Based on these aforementioned security issues, attackers can exploit vulnerabilities to launch DDoS attacks, which can impact network availability. Since the controller is a core component of the SDN architecture, DDoS attacks targeting SDN controllers have become an important type of DDoS attack [12]. Figure 1 also categorizes DDoS attack types
    基於上述安全問題,攻擊者可利用漏洞發動 DDoS 攻擊,進而影響網路可用性。由於控制器是 SDN 架構的核心元件,因此針對 SDN 控制器的 DDoS 攻擊已成為重要的 DDoS 攻擊類型 [12]。圖 1 也對 DDoS 攻擊類型進行了分類

    according to the SDN architecture plane. Table 2 summarizes the characteristics of DDoS attacks in SDN environments.
    根據 SDN 架構平面。表 2 總結了 SDN 環境中 DDoS 攻擊的特徵。
Table 2. DDoS attack types in the SDN environment.
表 2.SDN 環境中的 DDoS 攻擊類型。
Attack Type  攻擊類型 SDN Plane  SDN 平面 Security Vulnerabilities Exploited
被利用的安全漏洞
Flow Table Overflow  流量表溢流 Data Plane  資料平面

OpenFlow 交換器擁有有限的流量表儲存容量。
The OpenFlow switch possesses a
restricted amount of storage capacity for
flow tables.
The OpenFlow switch possesses a restricted amount of storage capacity for flow tables.| The OpenFlow switch possesses a | | :---: | | restricted amount of storage capacity for | | flow tables. |
Switch spoofing  交換器欺騙 Data Plane  資料平面

OpenFlow 交換器缺乏流量表的驗證。
The OpenFlow switch lacks
authentication for flow tables.
The OpenFlow switch lacks authentication for flow tables.| The OpenFlow switch lacks | | :---: | | authentication for flow tables. |
Saturated DDoS attacks  飽和的 DDoS 攻擊 Control Plane  控制平面 Packet In datagram blocking controller
封包內資料包封鎖控制器

惡意程式 DDoS 攻擊
Malicious program
DDoS attacks
Malicious program DDoS attacks| Malicious program | | :---: | | DDoS attacks |
Application plane  應用平面

應用程式平面缺乏強大的應用程式驗證與存取控制機制。
The application plane lacks robust
authentication and access control
mechanisms for applications.
The application plane lacks robust authentication and access control mechanisms for applications.| The application plane lacks robust | | :---: | | authentication and access control | | mechanisms for applications. |

北向介面頻寬耗盡
Northbound interface
bandwidth exhausted
Northbound interface bandwidth exhausted| Northbound interface | | :---: | | bandwidth exhausted |
Application plane  應用平面

應用層缺乏強大的認證與應用存取控制機制,而北向介面的頻寬資源有限[7]。
The application layer lacks robust
authentication and access control
mechanisms for applications, and the
northbound interface has limited
bandwidth resources [7].
The application layer lacks robust authentication and access control mechanisms for applications, and the northbound interface has limited bandwidth resources [7].| The application layer lacks robust | | :---: | | authentication and access control | | mechanisms for applications, and the | | northbound interface has limited | | bandwidth resources [7]. |
Attack Type SDN Plane Security Vulnerabilities Exploited Flow Table Overflow Data Plane "The OpenFlow switch possesses a restricted amount of storage capacity for flow tables." Switch spoofing Data Plane "The OpenFlow switch lacks authentication for flow tables." Saturated DDoS attacks Control Plane Packet In datagram blocking controller "Malicious program DDoS attacks" Application plane "The application plane lacks robust authentication and access control mechanisms for applications." "Northbound interface bandwidth exhausted" Application plane "The application layer lacks robust authentication and access control mechanisms for applications, and the northbound interface has limited bandwidth resources [7]."| Attack Type | SDN Plane | Security Vulnerabilities Exploited | | :---: | :---: | :---: | | Flow Table Overflow | Data Plane | The OpenFlow switch possesses a <br> restricted amount of storage capacity for <br> flow tables. | | Switch spoofing | Data Plane | The OpenFlow switch lacks <br> authentication for flow tables. | | Saturated DDoS attacks | Control Plane | Packet In datagram blocking controller | | Malicious program <br> DDoS attacks | Application plane | The application plane lacks robust <br> authentication and access control <br> mechanisms for applications. | | Northbound interface <br> bandwidth exhausted | Application plane | The application layer lacks robust <br> authentication and access control <br> mechanisms for applications, and the <br> northbound interface has limited <br> bandwidth resources [7]. |
  • Data plane DDoS attacks. Data plane OpenFlow switches use ternary contentaddressable memory (TCAM) to store forwarding rules. TCAM has high storage efficiency but is expensive and has limited space. When there is a need to store forwarding rules for a large amount of traffic, table overflow can occur [13]. On the other hand, OpenFlow switches have a vulnerability in their static timeout policy. The flow rules stored in the switch are only deleted if no matching packets are received within a certain period of time. The Low-Rate Flow Table Overflow (LOFT) attack exploits this vulnerability by sending low-rate attack traffic based on the flow table timeout rules, saturating the switch’s flow table entries and preventing the normal forwarding of traffic [14]. Another common data plane attack is switch spoofing [15]. Since data plane switches do not have the ability to identify controller flow tables, attackers can send malicious flow table entries to modify the switch’s IP address. When the controller tries to connect to the switch using an IP address, the malicious switch impersonates the IP address and communicates with the controller, causing the controller to lose connection with legitimate switches and disrupt network availability.
    資料平面 DDoS 攻擊。資料平面 OpenFlow 交換器使用三元內容可定址記憶體 (TCAM) 來儲存轉送規則。TCAM 儲存效率高,但價格昂貴且空間有限。當需要儲存大量流量的轉送規則時,可能會發生表滿溢的情況 [13]。另一方面,OpenFlow 交換器的靜態逾時政策存在漏洞。只有在某段時間內沒有收到匹配的封包,交換器中儲存的流量規則才會被刪除。低速率流量表溢出(LOFT)攻擊就是利用這個漏洞,根據流量表超時規則傳送低速率攻擊流量,使交換器的流量表項目達到飽和,無法正常轉送流量 [14]。另一種常見的資料平面攻擊是交換器欺騙 [15]。由於資料平面交換器沒有識別控制器流量表的能力,攻擊者可以傳送惡意流量表項目來修改交換器的 IP 位址。當控制器嘗試使用 IP 位址連線至交換器時,惡意交換器就會冒充 IP 位址與控制器通訊,導致控制器與合法交換器失去連線,並擾亂網路可用性。
  • Control plane DDoS attack. When a switch processes packets that do not match its flow table entries, it sends a Packet In message to the controller in order to retrieve the corresponding flow table information. Attackers inject a large number of invalid packets, causing the switch to send numerous Packet In messages to the controller. This action consumes controller resources and achieves the goal of saturating the controller with a DDoS attack.
    控制平面 DDoS 攻擊。當交換器處理與流量表項目不符的封包時,它會傳送 Packet In 訊息到控制器,以擷取對應的流量表資訊。攻擊者注入大量無效封包,導致交換器向控制器傳送大量 Packet In 訊息。此動作會消耗控制器資源,並達到 DDoS 攻擊使控制器飽和的目的。
  • Application plane DDoS attacks. Application plane DDoS attacks exploit the weak access control mechanism of SDN [7]. Applications with design flaws can create a large number of threads, which can consume memory resources or deplete the bandwidth resources of northbound interfaces. Malicious applications can simultaneously consume controller resources by generating a large number of resource-intensive requests. Traditional application plane attacks, such as HTTP Flood and DNS Flood attacks, are also major DDoS attack methods in SDN.
    應用平面 DDoS 攻擊。應用平面 DDoS 攻擊利用 SDN 薄弱的存取控制機制 [7]。存在設計缺陷的應用程式會產生大量線程,進而消耗記憶體資源或耗盡北向介面的頻寬資源。惡意應用程式可透過產生大量資源密集型請求,同時消耗控制器資源。傳統的應用程式平面攻擊,例如 HTTP Flood 和 DNS Flood 攻擊,也是 SDN 中主要的 DDoS 攻擊方式。

4. DDoS Attack Detection Technology in SDN
4.SDN 中的 DDoS 攻擊偵測技術

4.1. Statistical Analysis-Based DDoS Attack Detection Technology
4.1.以統計分析為基礎的 DDoS 攻擊偵測技術

In SDN environments, effectively identifying DDoS attack behaviors is a crucial prerequisite for issuing timely warnings and successfully implementing defense measures. This is essential for maintaining the normal operation and security of the network. Given that
在 SDN 環境中,有效識別 DDoS 攻擊行為是及時發出警告和成功實施防禦措施的重要前提。這對於維護網路的正常運作和安全性至關重要。鑑於

attackers often use technological means to disguise malicious traffic as legitimate traffic to confuse the public, the precise detection of DDoS attacks faces significant challenges. When a system is subjected to such attacks, the network traffic characteristics typically undergo significant changes. By conducting a comprehensive statistical analysis of these abnormal features, potential DDoS attack activities can be effectively identified. Mainstream statistical analysis and detection methods include, but are not limited to, techniques based on the information entropy theory. These methods reveal hidden attack patterns by quantifying their uncertainty in network traffic. And detection techniques utilize statistical prediction models, which are trained using historical data to predict future traffic conditions. These models serve as a benchmark to identify traffic features that significantly deviate from normal conditions, effectively capturing the occurrence of DDoS attacks. Both of these methods are important for detecting DDoS attacks in the current SDN environment.
攻擊者經常利用技術手段將惡意流量偽裝成合法流量來混淆大眾,因此精確偵測 DDoS 攻擊面臨重大挑戰。當系統受到此類攻擊時,網路流量特徵通常會發生顯著的變化。透過對這些異常特徵進行全面的統計分析,可以有效識別潛在的 DDoS 攻擊活動。主流的統計分析與偵測方法包括但不限於以資訊熵理論為基礎的技術。這些方法透過量化網路流量中的不確定性,揭示隱藏的攻擊模式。而偵測技術則是利用統計預測模型,透過歷史資料的訓練來預測未來的流量狀況。這些模型可作為基準,找出明顯偏離正常狀況的流量特徵,有效捕捉 DDoS 攻擊的發生。這兩種方法對於偵測目前 SDN 環境中的 DDoS 攻擊都很重要。

4.1.1. Information Entropy-Based DDoS Attack Detection Technology
4.1.1.基於資訊熵的 DDoS 攻擊偵測技術

The information entropy theory and information divergence proposed in the information theory can be used to reflect the uncertainty of information in a system. Information entropy is a method used to measure the probability of a random variable occurring at a specific time. Detection methods based on entropy mainly use different header features of network traffic, such as a source IP address, destination IP address, source port, etc., to calculate the randomness of data packets in the network. In a communication system, communication between hosts is unrelated, and the features of network traffic, such as the destination IP, have a high degree of uncertainty. The characteristics of DDoS attack traffic are that a large number of hosts (or spoofed sources) aggregate malicious traffic to one or a few destination hosts. Under the influence of this malicious traffic, the distribution of source IP addresses and destination IP addresses often deviates from the legitimate pattern, and the calculated entropy value also undergoes significant changes in a short period of time. Finally, by combining intrusion detection, machine learning, and other technologies, it is possible to further determine if the system is under a DDoS attack.
資訊理論中提出的資訊熵理論和資訊分歧可以用來反映系統中資訊的不確定性。資訊熵是用來量度隨機變數在特定時間發生的機率。基於熵的偵測方法主要是利用網路流量的不同標頭特徵,如來源 IP 位址、目的 IP 位址、來源埠等,來計算網路中資料封包的隨機性。在通訊系統中,主機間的通訊是不相關的,而網路流量的特徵,例如目的 IP,具有高度的不確定性。DDoS 攻擊流量的特徵是大量主機 (或偽造來源) 將惡意流量聚合到一台或幾台目的主機。在這些惡意流量的影響下,來源 IP 位址與目的 IP 位址的分佈往往會偏離合法的模式,計算出的熵值也會在短時間內發生顯著的變化。最後,透過結合入侵偵測、機器學習等技術,可以進一步判斷系統是否受到 DDoS 攻擊。
Due to the programmability of SDN controllers, it is possible to extract and analyze network traffic, calculate entropy, and detect DDoS attacks in the network. Yadav et al. [16], Ahalawat et al. [17], and Carvalho et al. [18] utilized Shannon entropy to detect DDoS attacks in SDN environments. These methods collect traffic and select features using SDN controllers or OpenFlow switches. They calculate entropy and determine the presence of DDoS attacks based on a threshold. These methods have high real-time capability, and low resource consumption. However, they suffer from low detection accuracy and are prone to false positives.
由於 SDN 控制器的可編程性,因此可以擷取和分析網路流量、計算熵值,並偵測網路中的 DDoS 攻擊。Yadav 等人 [16]、Ahalawat 等人 [17] 和 Carvalho 等人 [18] 利用香儂熵偵測 SDN 環境中的 DDoS 攻擊。這些方法使用 SDN 控制器或 OpenFlow 交換器收集流量並選擇特徵。它們會計算熵,並根據臨界值判斷是否存在 DDoS 攻擊。這些方法具有高即時能力和低資源消耗。然而,這些方法的偵測準確度較低,而且容易造成誤判。
To address the issue of the low detection accuracy associated with static threshold detection based on information entropy, Zahra et al. [19] proposed a method that utilizes a dynamic threshold setting in information entropy detection. This method collects entropy values in each period, divides them into normal entropy values and attack entropy value sets based on their relationship with the threshold, and updates the entropy threshold based on the mean and standard deviation of the two sets. Although this method improves accuracy to some extent, setting dynamic thresholds is relatively simple and can still result in false alarms. Future research on dynamically designing threshold methods is one of the hot topics in this field.
針對以資訊熵為基礎的靜態臨界值偵測所產生的偵測準確度低的問題,Zahra 等人[19] 提出了一種在資訊熵偵測中利用動態臨界值設定的方法。此方法收集每個時期的熵值,根據其與臨界值的關係將其分成正常熵值集和攻擊熵值集,並根據這兩個集的平均值和標準差更新熵臨界值。雖然這種方法在一定程度上提高了精確度,但動態臨界值的設定相對較為簡單,仍有可能造成誤報。動態設計臨界值方法的未來研究是此領域的熱門課題之一。
Raja et al. [20] proposed a method for detecting DDoS attacks based on generalized entropy, which combines Shannon entropy and Rényi entropy. This method utilizes the Snort intrusion detection system to extract traffic features and calculate the generalized entropy (GE) and generalized information distance (GID) of these features. These measurements are used to determine whether the system is experiencing a DDoS attack. By employing high-order calculations, generalized entropy amplifies the fluctuations in entropy, rendering it more responsive to variations in network traffic. Reference [20] reduced the redundancy of traffic features by calculating the information distance. This approach helps to minimize the overhead of identifying attack packets by the controller. Furthermore,
Raja 等人 [20] 提出了一種基於廣義熵(Generalized entropy)的 DDoS 攻擊偵測方法,該方法結合了香農熵(Shannon entropy)和雷尼熵(Rényi entropy)。此方法利用 Snort 入侵偵測系統擷取流量特徵,並計算這些特徵的廣義熵 (GE) 和廣義資訊距離 (GID)。這些測量結果可用於判斷系統是否正在遭受 DDoS 攻擊。透過採用高階計算,廣義熵放大了熵的波動,使其對網路流量的變化反應更靈敏。參考文獻 [20] 透過計算資訊距離,減少了流量特徵的冗餘。此方法有助於減少控制器識別攻擊封包的開銷。此外、

reducing redundant traffic features also helps improve the accuracy of deep learning when detecting traffic in subsequent sections.
減少冗餘流量特徵也有助於提高深度學習在後續部分偵測流量時的準確度。
Liu et al. [21] utilized relative entropy to detect DDoS attacks in SDN. Relative entropy, also known as Kullback-Leibler divergence, reflects the differences between two distributions. In SDN, abnormal traffic changes and DDoS attacks can be detected by statistically analyzing the distribution of traffic features and calculating relative entropy with normal or previous traffic feature distributions. For known attacks, calculating relative entropy can enhance detection effectiveness. However, the effectiveness of detection depends on the prior statistical distribution of normal traffic. Therefore, it is necessary to determine the optimal feature set of network traffic in order to improve detection accuracy.
Liu 等人 [21] 利用相對熵偵測 SDN 中的 DDoS 攻擊。相對熵又稱為 Kullback-Leibler 發散,反映兩個分佈之間的差異。在 SDN 中,可透過統計分析流量特徵分佈,並計算與正常或先前流量特徵分佈的相對熵,偵測異常流量變化和 DDoS 攻擊。對於已知的攻擊,計算相對熵可以提升偵測效能。然而,偵測的有效性取決於正常流量的先驗統計分佈。因此,有必要確定網路流量的最佳特徵集,以提高偵測準確度。
The calculation formula for Shannon entropy primarily focuses on utilizing a singular traffic feature to identify DDoS traffic, while disregarding the potential correlation with other packet features. Reference [22] introduced a DDoS attack model based on joint entropy detection. Joint entropy employs multiple traffic packet header information to compute entropy values, thereby mitigating the occurrence of false alarms that may arise from solely calculating entropy values for the destination IP. Simultaneously selecting various features for the computation of joint entropy has the potential to identify distinct categories of DDoS attacks. For instance, through the exploitation of vulnerabilities in the ICMP protocol and the calculation of joint entropy using attributes such as the packet destination IP, protocol type, destination port, and packet size, it is possible to achieve a more precise identification of the attack’s source. Although joint entropy exhibits superior performance in the detection of DDoS attacks, it is accompanied by a higher level of computational complexity. Consequently, it cannot ensure real-time performance within the context of SDN.
香儂熵的計算公式主要著重於利用單一流量特徵來識別 DDoS 流量,而忽略了與其他封包特徵的潛在關聯性。參考文獻 [22] 介紹了一種基於聯合熵偵測的 DDoS 攻擊模型。聯合熵運用多個流量封包標頭資訊來計算熵值,從而減少單獨計算目的 IP 的熵值可能產生的錯誤警報。同時選擇各種特徵來計算聯合熵,有可能識別出不同類別的 DDoS 攻擊。例如,透過利用 ICMP 通訊協定中的弱點,並使用封包的目的 IP、通訊協定類型、目的連接埠和封包大小等屬性來計算聯合熵,可以更精確地識別攻擊來源。雖然聯合熵在偵測 DDoS 攻擊上表現優異,但卻伴隨著較高的計算複雜度。因此,在 SDN 的情況下,它無法確保即時效能。
Ming et al. [23] proposed a method for detecting DDoS attacks based on conditional entropy. One of the characteristics of DDoS attacks is the convergence of multiple sources targeting a single destination. By utilizing conditional entropy, it is possible to calculate the probability of the correlation between source IP addresses and destination IP addresses, thus enabling the detection of DDoS attacks. Conditional entropy reflects the correlation between traffic characteristics and is effective at identifying malicious traffic. However, computational complexity is correspondingly increased.
Ming 等人 [23] 提出了一種基於條件熵的 DDoS 攻擊偵測方法。DDoS 攻擊的其中一個特徵是多個來源匯聚到單一目的地。利用條件熵可以計算出來源 IP 位址和目的 IP 位址之間的相關性概率,從而實現 DDoS 攻擊的偵測。條件熵反映了流量特徵之間的相關性,對於識別惡意流量非常有效。然而,計算複雜度也相對提高。
Li et al. [24] demonstrated the feasibility of using φ φ varphi\varphi-entropy to detect DDoS attack traffic and proposed a DDoS attack detection scheme based on φ φ varphi\varphi-entropy in SDN networks. This work introduces the parameter φ φ varphi\varphi to adjust the sensitivity of the event frequency measurement. Compared to Shannon entropy, φ φ varphi\varphi-entropy can amplify the correlation between random variables and is able to analyze the traffic correlation effectively in network traffic analysis. The proposed scheme involves the controller periodically obtaining the entropy value of the destination IP address of the data flow and comparing it with a threshold. When the entropy value is less than the threshold for five consecutive periods, it is determined that a DDoS attack is occurring. Through experiments, the authors have demonstrated that φ φ varphi\varphi-entropy is more effective than Shannon entropy in detecting highintensity DDoS attacks. However, it is necessary to adjust the parameter φ φ varphi\varphi used in the detection according to the network situation.
Li 等人 [24] 證明了使用 φ φ varphi\varphi -熵檢測 DDoS 攻擊流量的可行性,並提出了在 SDN 網路中基於 φ φ varphi\varphi -熵的 DDoS 攻擊檢測方案。本工作引入參數 φ φ varphi\varphi 來調整事件頻率量測的敏感度。相較於香儂熵, φ φ varphi\varphi -熵可以放大隨機變數間的相關性,在網路流量分析中能有效分析流量相關性。所提出的方案是由控制器定期取得資料流目的地 IP 位址的熵值,並與臨界值進行比較。當熵值連續五個時期小於臨界值時,即判定有 DDoS 攻擊發生。透過實驗,作者證實 φ φ varphi\varphi - 熵比 Shannon 熵更能有效偵測高強度 DDoS 攻擊。不過,偵測時使用的參數 φ φ varphi\varphi 需要依網路的情況來調整。
Table 3 shows a comparison of information entropy-based detection methods. The detection method based on information theory has low algorithmic complexity, which does not impose a heavy burden on the controller and has certain real-time capabilities. However, it also has certain limitations. In the case of high-traffic SDN networks, the detection method based on information entropy has the drawback of high false alarm and missed detection probabilities. Additionally, it does not perform well in detecting low-rate DDoS attacks. In DDoS attack detection, the information entropy-based method can be used as an initial detection scheme, combined with machine learning methods, to form a multi-level detection scheme, thereby enhancing the capability of detection.
表 3 顯示了基於資訊熵的偵測方法比較。基於資訊理論的偵測方法演算法複雜度低,不會對控制器造成沉重的負擔,具有一定的即時性。但是,它也有一定的局限性。在高流量 SDN 網路的情況下,基於資訊熵的偵測方法存在誤報和漏報概率高的缺點。此外,在偵測低速率的 DDoS 攻擊時,其表現也不佳。在 DDoS 攻擊偵測中,可以將基於資訊熵的方法作為初始偵測方案,結合機器學習方法,形成多層次的偵測方案,從而提升偵測能力。
Table 3. Comparison of DDoS DDoS DDoS\operatorname{DDoS} attack detection parameters based on information entropy.
表 3.基於資訊熵的 DDoS DDoS DDoS\operatorname{DDoS} 攻擊偵測參數比較。
  計算參數
Calculation
Parameters
Calculation Parameters| Calculation | | :--- | | Parameters |
Features  特點 Strengths  優勢 Weaknesses  弱點 Improvement Methods  改善方法
Shannon Entropy  香儂熵 Probability of variation in traffic characteristics
交通特性變異的機率
Easy to calculate. Less computing resources
易於計算。運算資源較少
Low detection accuracy  偵測準確度低

動態臨界值調整。多種流量特徵的聯合偵測
Dynamic threshold adjustment.
Joint detection of multiple traffic features
Dynamic threshold adjustment. Joint detection of multiple traffic features| Dynamic threshold adjustment. | | :--- | | Joint detection of multiple traffic features |
Generalized entropy (GE)
廣義熵 (GE)
Expansion of Shannon entropy and amplification of the variation in Shannon entropy.
香儂熵的擴展和香儂熵變化的放大。
The parameter exhibits a higher level of sensitivity towards variations in traffic characteristics.
該參數對交通特性的變化具有較高的敏感度。
When the order of magnitude is high, the computational complexity experiences an increase.
當量階很高時,計算複雜度就會增加。
Set different orders for different DDoS attacks
針對不同的 DDoS 攻擊設定不同的指令
Relative entropy (KL divergence)
相對熵 (KL 發散)
Measuring the difference between normal traffic and malicious traffic
測量正常流量與惡意流量的差異
High recognition rate for known attacks
已知攻擊的高辨識率
Dependent on previous traffic data models
取決於先前的交通資料模型
Extract traffic characteristics of different attack types and use relative entropy to detect attack types
擷取不同攻擊類型的流量特徵,並使用相對熵偵測攻擊類型
Conditional entropy  條件熵 Reflecting the interrelationships among various attributes of traffic flow
反映交通流量各種屬性之間的相互關係
High detection accuracy  偵測精確度高 The computational time and space complexity are significant, posing challenges in meeting real-time requirements.
計算時間和空間的複雜度都很高,對於滿足即時性的要求造成了挑戰。
Selecting an appropriate conditional entropy detection model for different DDoS attacks
針對不同的 DDoS 攻擊選擇適當的條件熵偵測模型
Joint entropy  聯合熵 Using multiple traffic packet header features for entropy calculation
使用多個流量封包標頭特徵進行熵計算
Compared to a single entropy value, the accuracy is elevated. Can detect unknown attacks
相較於單一的熵值,準確度有所提升。可偵測未知的攻擊
More resources are required for computation. Static thresholds are prone to false alarms
需要更多的計算資源。靜態臨界值容易產生錯誤警報
Threshold adaptive adjustment Selecting accurate detection features to reduce computational complexity
閾值自適應調整 選擇精確的偵測特徵,以降低計算複雜度
φ φ varphi\varphi-entropy   φ φ varphi\varphi -熵 Introducing parameters φ φ varphi\varphi Sensitivity of adjusting entropy to probability changes in flow characteristics
引進參數 φ φ varphi\varphi 調整熵對流量特性概率變化的敏感度
Amplified the correlation between traffic, with high sensitivity.
放大流量之間的相關性,靈敏度高。
The parameters φ φ varphi\varphi need to be pre-set, and different designs are needed according to the changes in network traffic φ φ varphi\varphi Parameters.
參數 φ φ varphi\varphi 需要預先設定,並根據網路流量 φ φ varphi\varphi 參數的變化進行不同的設計。
φ φ varphi\varphi Parameter adaptive change
φ φ varphi\varphi 參數適應性改變
"Calculation Parameters" Features Strengths Weaknesses Improvement Methods Shannon Entropy Probability of variation in traffic characteristics Easy to calculate. Less computing resources Low detection accuracy "Dynamic threshold adjustment. Joint detection of multiple traffic features" Generalized entropy (GE) Expansion of Shannon entropy and amplification of the variation in Shannon entropy. The parameter exhibits a higher level of sensitivity towards variations in traffic characteristics. When the order of magnitude is high, the computational complexity experiences an increase. Set different orders for different DDoS attacks Relative entropy (KL divergence) Measuring the difference between normal traffic and malicious traffic High recognition rate for known attacks Dependent on previous traffic data models Extract traffic characteristics of different attack types and use relative entropy to detect attack types Conditional entropy Reflecting the interrelationships among various attributes of traffic flow High detection accuracy The computational time and space complexity are significant, posing challenges in meeting real-time requirements. Selecting an appropriate conditional entropy detection model for different DDoS attacks Joint entropy Using multiple traffic packet header features for entropy calculation Compared to a single entropy value, the accuracy is elevated. Can detect unknown attacks More resources are required for computation. Static thresholds are prone to false alarms Threshold adaptive adjustment Selecting accurate detection features to reduce computational complexity varphi-entropy Introducing parameters varphi Sensitivity of adjusting entropy to probability changes in flow characteristics Amplified the correlation between traffic, with high sensitivity. The parameters varphi need to be pre-set, and different designs are needed according to the changes in network traffic varphi Parameters. varphi Parameter adaptive change| Calculation <br> Parameters | Features | Strengths | Weaknesses | Improvement Methods | | :---: | :---: | :---: | :---: | :---: | | Shannon Entropy | Probability of variation in traffic characteristics | Easy to calculate. Less computing resources | Low detection accuracy | Dynamic threshold adjustment. <br> Joint detection of multiple traffic features | | Generalized entropy (GE) | Expansion of Shannon entropy and amplification of the variation in Shannon entropy. | The parameter exhibits a higher level of sensitivity towards variations in traffic characteristics. | When the order of magnitude is high, the computational complexity experiences an increase. | Set different orders for different DDoS attacks | | Relative entropy (KL divergence) | Measuring the difference between normal traffic and malicious traffic | High recognition rate for known attacks | Dependent on previous traffic data models | Extract traffic characteristics of different attack types and use relative entropy to detect attack types | | Conditional entropy | Reflecting the interrelationships among various attributes of traffic flow | High detection accuracy | The computational time and space complexity are significant, posing challenges in meeting real-time requirements. | Selecting an appropriate conditional entropy detection model for different DDoS attacks | | Joint entropy | Using multiple traffic packet header features for entropy calculation | Compared to a single entropy value, the accuracy is elevated. Can detect unknown attacks | More resources are required for computation. Static thresholds are prone to false alarms | Threshold adaptive adjustment Selecting accurate detection features to reduce computational complexity | | $\varphi$-entropy | Introducing parameters $\varphi$ Sensitivity of adjusting entropy to probability changes in flow characteristics | Amplified the correlation between traffic, with high sensitivity. | The parameters $\varphi$ need to be pre-set, and different designs are needed according to the changes in network traffic $\varphi$ Parameters. | $\varphi$ Parameter adaptive change |

4.1.2. Traffic Statistics-Based DDoS Attack Detection Technology
4.1.2.基於流量統計的 DDoS 攻擊偵測技術

When a DDoS attack occurs in the network, certain network features may deviate from their normal values. Defenders can select network features based on attack characteristics, analyze changes over a certain period of time, and issue DDoS attack alerts when abnormal features are detected. Additionally, they can establish regression models or time series prediction models based on historical statistical data to predict future traffic changes. This allows for timely alerts to be issued for impending high-traffic behavior in the network [11].
當網路發生 DDoS 攻擊時,某些網路特徵可能會偏離正常值。防禦者可以根據攻擊特徵選擇網路特徵,分析某段時間內的變化,並在偵測到異常特徵時發出 DDoS 攻擊警示。此外,他們可以根據歷史統計資料建立回歸模型或時間序列預測模型,以預測未來的流量變化。這樣就可以針對網路中即將發生的高流量行為及時發出警示 [11]。
Kalkan et al. [25] proposed a statistical packet filtering model. When the traffic on the switch exceeds the bandwidth threshold, a comparator compares the suspicious traffic characteristics with the configuration file, calculates a matching score, and discards the data packet if the score exceeds the threshold. This approach selects multiple different attributes based on attack traffic to generate various configuration files, resulting in the effective detection of known attacks on switches. Fouladi et al. [26] utilized time series analysis to detect DDoS attacks. This approach statistically analyzes historical traffic change patterns and utilizes ARMA and chaos theory models to forecast future network traffic changes. It also generates alerts in cases of traffic overload. Shohani et al. [27] proposed a statistical prediction detection method for detecting blind DDoS attacks that are difficult to identify. This method utilizes information entropy and principal component analysis techniques. The controller statistically tracks the changes in the number of flow table entries that are not hit when the switch receives normal traffic. It uses the Exponentially
Kalkan 等人 [25] 提出了一種統計封包過濾模型。當交換器上的流量超過頻寬臨界值時,比較器會比較可疑流量特徵與組態檔案,計算匹配分數,如果分數超過臨界值,則丟棄資料封包。此方法根據攻擊流量選擇多種不同屬性,以產生各種組態檔案,從而有效偵測交換器上的已知攻擊。Fouladi 等人 [26] 利用時間序列分析來偵測 DDoS 攻擊。此方法統計分析歷史流量變化模式,並利用 ARMA 和混沌理論模型預測未來網路流量變化。它也會在流量過載時產生警示。Shohani 等人 [27] 提出了一種統計預測偵測方法,用來偵測難以辨識的盲目 DDoS 攻擊。此方法利用資訊熵與主成分分析技術。控制器會統計追蹤交換器接收正常流量時,未被命中的流量表項數量變化。它使用指數
Weighted Moving Average (EWMA) method to establish a trapezoidal detection threshold. When a switch is under a DDoS attack, the number of missed flow entries in the switch exceeds the threshold, thereby detecting the DDoS attack. Although this method has a strong defense effect against blind DDoS attacks, it has a weak detection effect for DDoS attacks originating from a single host.
加權移動平均 (EWMA) 方法建立梯形偵測臨界值。當交換器受到 DDoS 攻擊時,交換器中遺漏的流量(flow entries)數量超過門檻值,從而偵測到 DDoS 攻擊。雖然此方法對於盲目的 DDoS 攻擊有較強的防禦效果,但對於來自單一主機的 DDoS 攻擊,其偵測效果較弱。
The label-based statistical analysis method involves adding flow labels to various switch traffic data. It then performs statistical analysis on data flow information within the network to detect DDoS malicious traffic. Furthermore, it can trace malicious traffic by utilizing the labels. Wang et al. [28] utilized the encoding of data packet forwarding paths as parameters for detecting attacks and generating alerts when abnormal traffic is identified on a specific path. This method is suitable not only for detecting DDoS attacks but also for detecting whether there are loops in the data packet forwarding process. Sahay et al. [29] proposed adding Packet in messages to flow-ID labels based on the VLAN ID field. The traffic statistics collector collects the source address, destination address, and flow-ID label of the packets. When the threshold is exceeded, a security alert is issued, and suspicious switches can be traced using the flow-ID label.
基於標籤的統計分析方法是在各種交換器流量資料中加入流量標籤。然後對網路內的資料流量資訊執行統計分析,以偵測 DDoS 惡意流量。此外,它還可以利用標籤來追蹤惡意流量。Wang 等人 [28] 利用資料封包轉送路徑的編碼作為偵測攻擊的參數,並在特定路徑上識別出異常流量時產生警示。此方法不僅適用於偵測 DDoS 攻擊,也適用於偵測資料封包轉送過程中是否存在迴圈。Sahay 等人 [29] 提出根據 VLAN ID 欄位,在 flow-ID 標籤中加入 Packet in 訊息。流量統計收集器收集封包的來源位址、目的位址和 flow-ID 標籤。當超出臨界值時,會發出安全警示,並可使用 flow-ID 標籤追蹤可疑的交換器。
The statistical analysis method has a higher detection accuracy compared to the information entropy detection method, but it also requires the collection of a large amount of historical data, which consumes the network’s computing and storage resources [30]. The dynamic adjustment of feature selection and thresholds is also a consideration for different DDoS attacks and attack rates.
相較於資訊熵偵測法,統計分析法的偵測準確度較高,但也需要蒐集大量的歷史資料,消耗網路的運算與儲存資源[30]。針對不同的 DDoS 攻擊與攻擊率,也要考慮到特徵選擇與臨界值的動態調整。

4.2. Machine Learning-Based DDoS Attack Detection Technology
4.2.基於機器學習的 DDoS 攻擊偵測技術

With the recent advancements in artificial intelligence in various fields, machine learning algorithms have been widely used for pattern recognition, object detection, and classification and regression problems. Machine learning algorithms utilize large amounts of data and expert experience to improve algorithmic strategies and parameters, achieving optimal performance standards for computer programs. In DDoS attack detection, defenders can train machine learning-based traffic classification tools based on historical traffic data to achieve the anomaly detection of network traffic. Commonly used machine learning algorithms for detecting DDoS attack traffic include support vector machines (SVM), the Naive Bayes algorithm, supervised learning algorithms, self-organizing maps (SOMs), and an unsupervised algorithm. Table 4 illustrates the commonly used machine learning methods for DDoS DDoS DDoS\operatorname{DDoS} threat detection.
隨著近年人工智慧在各領域的進步,機器學習演算法已廣泛應用於模式識別、物件偵測以及分類與回歸等問題。機器學習演算法利用大量資料和專家經驗來改善演算法策略和參數,達到電腦程式的最佳效能標準。在 DDoS 攻擊偵測中,防禦者可根據歷史流量資料,訓練以機器學習為基礎的流量分類工具,以達到網路流量的異常偵測。常用於偵測 DDoS 攻擊流量的機器學習演算法包括支援向量機 (SVM)、Naive Bayes 演算法、監督學習演算法、自組圖 (SOM) 以及一種無監督演算法。表 4 說明常用於 DDoS DDoS DDoS\operatorname{DDoS} 威脅偵測的機器學習方法。
Table 4. Machine learning algorithm for DDoS attack detection.
表 4.偵測 DDoS 攻擊的機器學習演算法。
Algorithm Classification
演算法分類
Algorithm  演算法 References  參考資料
SVM [ 31 35 ] [ 31 35 ] [31-35][31-35]
Traditional machine learning
傳統機器學習
Decision Tree  判斷樹 [ 36 38 ] [ 36 38 ] [36-38][36-38]
KNN [ 38 41 ] [ 38 41 ] [38-41][38-41]
Naive Bayes [ 38 , 42 44 ] [ 38 , 42 44 ] [38,42-44][38,42-44]
Deep learning  深度學習 Random Forest  隨機森林 [ 36 38 ] [ 36 38 ] [36-38][36-38]
SOM [ 41 , 45 , 46 ] [ 41 , 45 , 46 ] [41,45,46][41,45,46]
ANN [ 47 49 ] [ 47 49 ] [47-49][47-49]
LSTM [ 48 50 ] [ 48 50 ] [48-50][48-50]
Algorithm Classification Algorithm References SVM [31-35] Traditional machine learning Decision Tree [36-38] KNN [38-41] Naive Bayes [38,42-44] Deep learning Random Forest [36-38] SOM [41,45,46] ANN [47-49] LSTM [48-50]| Algorithm Classification | Algorithm | References | | :---: | :---: | :---: | | | SVM | $[31-35]$ | | Traditional machine learning | Decision Tree | $[36-38]$ | | | KNN | $[38-41]$ | | | Naive Bayes | $[38,42-44]$ | | Deep learning | Random Forest | $[36-38]$ | | | SOM | $[41,45,46]$ | | | ANN | $[47-49]$ | | | LSTM | $[48-50]$ |
The SVM algorithm is a binary classification model utilized for distinguishing between normal and abnormal data in the context of DDoS attack detection based on traffic characteristics. Based on the traffic characteristics observed in the SDN network environment, the SVM detection algorithm is employed to gather input feature vectors in order to develop
SVM 演算法是一種二進位分類模型,在 DDoS 攻擊偵測中,可根據流量特徵區分正常與異常資料。根據在 SDN 網路環境中觀察到的流量特徵,SVM 偵測演算法被用來收集輸入特徵向量,以開發

an algorithm for detecting malicious behavior within the network. The accuracy of the SVM algorithm is significantly influenced by the traffic feature vectors and kernel functions that are constructed. Kokila et al. [31], Mehr et al. [32], and Ye et al. [33] employed the SVM algorithm for the purpose of detecting DDoS attacks within the SDN environment. By employing various traffic features and kernel functions, the algorithm was able to enhance its detection accuracy. Myint et al. [35] introduced the advanced support vector machine (ASVM) algorithm as a means to enhance the basic binary classification outcomes of conventional SVM algorithms. The objective was to enable the concurrent identification of UDP Flood and SYN Flood attacks. Reference [34] utilizes the One-Class SVM algorithm for the purpose of detecting DDoS attacks. This study focuses on the training of a One-Class SVM model using 11 feature vectors extracted from DDoS attack traffic. Additionally, an adaptive genetic algorithm was employed to optimize the model’s parameters, thereby enhancing the accuracy of the detection process.
偵測網路內惡意行為的演算法。SVM 演算法的準確度會受到所建構的流量特徵向量和核心函數的顯著影響。Kokila 等人[31]、Mehr 等人[32]和 Ye 等人[33]使用 SVM 演算法來偵測 SDN 環境中的 DDoS 攻擊。透過運用各種流量特徵和核心函數,該演算法能夠提高其偵測準確度。Myint 等人[35] 引進進階支援向量機 (ASVM) 演算法,以增強傳統 SVM 演算法的基本二進位分類結果。其目的在於能夠同時識別 UDP Flood 與 SYN Flood 攻擊。參考文獻 [34] 利用單一類 SVM 演算法來偵測 DDoS 攻擊。本研究的重點在於使用從 DDoS 攻擊流量中萃取的 11 個特徵向量來訓練單一類 SVM 模型。此外,還採用了自適應性遺傳演算法來最佳化模型的參數,進而提升偵測過程的準確度。
The KNN algorithm is a supervised learning algorithm that aims to cluster data by identifying the closest neighbors based on data features. In the context of attack detection, this algorithm categorizes network traffic by quantifying the dissimilarity between various feature values. Dong et al. [39] introduced an enhanced KNN algorithm for the identification of DDoS attacks in SDN. In the context of SDN network traffic, it is essential to consider the following four parameters: traffic length, traffic duration, traffic size, and traffic ratio. These parameters play a crucial role in detecting various types of DDoS attacks. To accomplish this, the KNN model was employed. This model demonstrates a remarkable ability to accurately identify DDoS attacks. However, it is important to note that the simulation experiment topology employed in this study is relatively simplistic, and deploying real-time detection in complex, real-world environments pose significant challenges. Latah et al. [40] employed the KNN algorithm in conjunction with other machine learning algorithms for the purpose of network anomaly traffic detection. The experimental results indicate that the KNN algorithm exhibits superior accuracy and incurs a greater time cost in comparison to alternative algorithms.
KNN 演算法是一種監督學習演算法,其目的是根據資料特徵找出最接近的鄰居,從而對資料進行聚類。在攻擊偵測的情況下,此演算法透過量化各種特徵值之間的差異性來對網路流量進行分類。Dong 等人[39] 引進了增強型 KNN 演算法,用於識別 SDN 中的 DDoS 攻擊。就 SDN 網路流量而言,必須考慮以下四個參數:流量長度、流量持續時間、流量大小和流量比率。這些參數在偵測各種類型的 DDoS 攻擊時扮演關鍵角色。為了達到此目的,我們採用了 KNN 模型。此模型展現了精確辨識 DDoS 攻擊的卓越能力。然而,值得注意的是,本研究採用的模擬實驗拓樸結構相對簡單,在複雜的真實世界環境中部署即時偵測會帶來重大挑戰。Latah 等人 [40] 將 KNN 演算法與其他機器學習演算法結合,用於網路異常流量偵測。實驗結果顯示,與其他演算法相較之下,KNN 演算法的精確度較高,但時間成本較高。
Machine learning algorithms such as Naive Bayes, decision trees, and random forests are frequently utilized for the purpose of traffic classification. Currently, numerous studies have synthesized these aforementioned machine learning detection methods and have identified the method that yields the most effective detection results. In order to address the issue of data plane Flow Table Overflow attacks, Santos et al. [37] implemented support vector machines, decision trees, and random forest algorithms within controllers to detect and classify traffic. In the experimental setting of this study, it was observed that decision trees exhibit the shortest processing time, whereas random forest algorithms demonstrate the highest level of accuracy. Khashab et al. [38] implemented a model for detecting DDoS attacks based on data flow for the application plane of the SDN architecture. This study employs a combination of Naive Bayes, logistic regression, decision tree, random forest, SVM, and KNN algorithms in order to detect and classify malicious network traffic. Based on empirical investigations, it has been determined that the random forest algorithm outperforms other algorithms in terms of accuracy and real-time performance. Aslam et al. [54] also implemented these six aforementioned algorithms in the context of SDN for the purpose of detecting DDoS attacks. Unlike previous studies on traffic recognition, this method integrates six distinct algorithms to identify and classify traffic, and subsequently determines the presence of malicious traffic by analyzing the outcomes of these six algorithm classifiers. This approach enhances the overall accuracy of the system. Wu et al. [55] employed a factorization machine (FM) algorithm to identify low-rate DDoS attacks on the data plane. In order to address the concealed and challenging-to-identify attributes of low-speed DDoS attack traffic within the data plane, this approach aims to extract four distinct features from the input flow-table rule. These features were then utilized to train the FM algorithm model, taking into account the correlated characteristics of the attack traffic. Finally, an experiment on a low-speed DDoS attack was conducted using the CAIDA dataset. The experiment compared the performance of the FM algorithm-based DDoS attack detection
機器學習演算法,例如 Naive Bayes、決策樹和隨機森林,經常被用於交通分類的目的。目前,許多研究已綜合上述這些機器學習偵測方法,並找出能產生最有效偵測結果的方法。為了解決資料平面流量表溢出攻擊的問題,Santos 等人[37] 在控制器中實施了支援向量機、判斷樹和隨機森林演算法,以偵測流量並進行分類。在這項研究的實驗設定中,觀察到判斷樹的處理時間最短,而隨機森林演算法則表現出最高的準確度。Khashab 等人 [38] 實作了一個偵測 DDoS 攻擊的模型,該模型基於 SDN 架構應用平面的資料流。本研究採用 Naive Bayes、邏輯迴歸、決策樹、隨機森林、SVM 及 KNN 演算法的組合,以偵測惡意網路流量並將其分類。根據實證調查,判定隨機森林演算法在精確度與即時效能方面優於其他演算法。Aslam 等人[54] 也在 SDN 的情境下實作上述六種演算法,以偵測 DDoS 攻擊為目的。有別於以往的流量識別研究,此方法整合了六種不同的演算法來識別與分類流量,並隨後透過分析這六種演算法分類器的結果來判斷惡意流量的存在。此方法提高了系統的整體精確度。Wu 等人 [55]採用因式分解機 (FM) 演算法來識別資料平面上的低速率 DDoS 攻擊。為了解決資料平面內低速 DDoS 攻擊流量隱蔽且難以辨識的屬性,此方法旨在從輸入流量表規則中萃取四種不同的特徵。然後,考慮到攻擊流量的相關特性,利用這些特徵來訓練 FM 演算法模型。最後,使用 CAIDA 資料集進行低速 DDoS 攻擊的實驗。該實驗比較了基於 FM 演算法的 DDoS 攻擊偵測效能

method with the CNN model and random forest model. The results demonstrate that the FM algorithm-based method achieves a high recognition rate in this specific environment.
方法與 CNN 模型和隨機森林模型。結果證明,以 FM 演算法為基礎的方法在此特定環境中能達到很高的辨識率。

4.3. Deep Learning-Based DDoS Attack Detection Technology
4.3.基於深度學習的 DDoS 攻擊偵測技術

Deep learning algorithms are extensively employed in the field of intrusion detection and malicious traffic recognition, primarily because of their inherent advantages, including self-learning capabilities, self-organization, robustness, good fault tolerance, and parallelism [56]. Deep learning-based DDoS attack detection methods exhibit a superior recognition capability for novel DDoS attacks, as they do not necessitate the filtering of traffic features [57]. The primary techniques employed for DDoS detection in deep learning are neural network models.
深度學習演算法在入侵偵測與惡意流量識別領域被廣泛運用,主要是因為其固有的優點,包括自學能力、自組織、穩健性、良好的容錯性以及平行性 [56]。基於深度學習的 DDoS 攻擊偵測方法對於新穎的 DDoS 攻擊展現了優異的識別能力,因為它們不需要過濾流量特徵[57]。深度學習 DDoS 偵測所採用的主要技術是神經網路模型。
Cui et al. [58] conducted a study in which they gathered switch traffic through an SDN controller and employed the BPNN(Back Propagation Neural Network) algorithm for the purpose of classifying the traffic and detecting any malicious activity. Simultaneously, by utilizing the classification outcomes, it was possible to track the origin of malicious IP traffic and eliminate it within the switch, thereby achieving the objective of mitigating attacks. Li et al. [49] employed CNN, RNN, and LSTM algorithms for the purpose of detecting traffic features. At the same time, it is imperative to continuously update the deep learning detection model in real-time, taking into consideration the probability of traffic characteristics. The aforementioned methods result in an increased workload on the switch; however, they exhibit low real-time performance. Nam et al. [41] employed the SOM and KNN algorithms to assess the dissimilarity between traffic and malicious traffic feature vectors. Their objective was to identify if the traffic corresponds to a DDoS attack, enhance the real-time detection capability, and minimize the impact on accuracy. Deepa et al. [59] employed a two-level neural network detection model. Initially, they utilized a deep belief network (DBN) and autoencoder (AE) algorithms to extract attack traffic features. Subsequently, the multiple kernel learning (MKL) algorithm was employed for traffic classification with the aim of identifying DDoS traffic while maintaining a balance between accuracy and efficiency.
Cui 等人[58] 進行了一項研究,透過 SDN 控制器收集交換器流量,並使用 BPNN (Back Propagation Neural Network) 演算法對流量進行分類,以偵測任何惡意活動。同時,利用分類結果,可以追蹤惡意 IP 流量的來源,並在交換機中消除惡意 IP 流量,從而達到減緩攻擊的目的。Li 等人 [49] 採用 CNN、RNN 與 LSTM 演算法來偵測流量特徵。同時,必須考量流量特徵的機率,持續即時更新深度學習偵測模型。上述方法會導致交換器的工作負載增加;然而,這些方法所展現的即時效能較低。Nam 等人 [41] 採用 SOM 與 KNN 演算法來評估流量與惡意流量特徵向量之間的差異性。他們的目標是識別流量是否對應 DDoS 攻擊、增強即時偵測能力,並將對準確度的影響降至最低。Deepa 等人 [59] 採用了兩層神經網路偵測模型。最初,他們利用深度信念網路 (DBN) 與自動編碼器 (AE) 演算法來擷取攻擊流量特徵。之後,他們使用多重核心學習 (MKL) 演算法來進行流量分類,目的是在識別 DDoS 流量的同時,保持準確性與效率之間的平衡。
The advantage of a machine learning detection mechanism lies in its strong ability to abstract and generalize detection data with high feature dimensions, allowing for the efficient processing of multi-dimensional data. Machine learning models [60-62] can also yield favorable results in recognizing attack types, reducing the dimensionality of traffic data, and tracing attackers. The drawback is that the characteristics of supervised learning algorithms are manually designed and annotated, and the quality of input features significantly affects the detection accuracy of the model. Unsupervised learning algorithms require additional time and resources to train the model, leading to subpar real-time detection.
機器學習檢測機制的優勢在於其具有強大的抽象和概括能力,能夠對具有高特徵維度的檢測資料進行抽象和概括,從而高效處理多維資料。機器學習模型 [60-62] 在辨識攻擊類型、降低流量資料的維度、追蹤攻擊者等方面也能獲得有利的結果。缺點是有監督學習演算法的特徵是由人工設計和注釋,輸入特徵的品質會大幅影響模型的偵測準確度。無監督學習演算法需要額外的時間與資源來訓練模型,導致即時偵測的品質不佳。

4.4. Hybrid Detection Technology
4.4.混合偵測技術

While information entropy or the machine learning anomaly detection algorithm can identify DDoS attacks in SDN networks, accurately characterizing extensive data in SDN networks using only information entropy algorithms is challenging. Relying solely on machine learning algorithms also consumes excessive time and resources, posing difficulties in ensuring real-time detection.
儘管資訊熵或機器學習異常偵測演算法可以識別 SDN 網路中的 DDoS 攻擊,但僅使用資訊熵演算法來精確描述 SDN 網路中的大量資料是極具挑戰性的。僅依賴機器學習演算法也會消耗過多的時間與資源,對於確保即時偵測造成困難。
Currently, a mature approach is to combine information entropy and machine learning in a hybrid detection model. This involves using information entropy methods for initial detection to identify early attack behaviors or locate attacks, followed by machine learning methods for further detection. Hu et al. [63] proposed a hybrid detection method that combines information entropy and machine learning. This method detects changes in the information entropy of SDN controllers, extracts information entropy as a feature, and uses the SVM algorithm for traffic classification, effectively identifying DDoS traffic. Sun et al. [64] tackled the problem of low accuracy in information entropy by employing the computation of traffic source IP and destination IP φ φ varphi\varphi-entropy. φ φ varphi\varphi-entropy is utilized for the
目前,一種成熟的方法是結合資訊熵與機器學習的混合偵測模型。這包括使用資訊熵方法進行初始偵測,以識別早期攻擊行為或定位攻擊,然後再使用機器學習方法進行進一步偵測。Hu 等人 [63] 提出了結合資訊熵與機器學習的混合偵測方法。此方法可偵測 SDN 控制器的資訊熵變化,擷取資訊熵作為特徵,並使用 SVM 演算法進行流量分類,有效識別 DDoS 流量。Sun 等人[64]採用流量來源 IP 與目的地 IP φ φ varphi\varphi -熵的計算,解決了資訊熵準確度低的問題。 φ φ varphi\varphi -熵被用來計算流量的來源 IP 和目的地 IP。

initial detection of DDoS attacks, and the detection module differentiates normal traffic from malicious traffic using the KNN algorithm to identify malicious DDoS attacks. Novaes et al. [65] proposed a multi-level detection method that divides attack detection into three stages. Firstly, network packet attributes are collected, and information entropy along with other features are calculated. LSTM models are then utilized to predict traffic changes and detect early attack behaviors. Finally, fuzzy logic is utilized to further identify and pinpoint attacks. Dehkordi et al. [66] proposed a hybrid detection method that identifies and locates abnormal traffic using information entropy and statistical analysis methods. In the detection module, a variety of machine learning algorithms, including Bayes Net, J48, logistic regression, and Random Tree algorithms, were utilized for classification to address the high false alarm rate associated with the dynamic threshold. Zhang et al. [67] proposed a multi-level mixed detection method. It initially utilizes information entropy to rapidly detect changes in network traffic, followed by the use of the autoencoder (SSAE)SVM architecture multi-level detection model to identify abnormal traffic. This approach enhances detection timeliness while reducing the probability of false alarms.
初步偵測 DDoS 攻擊,偵測模組利用 KNN 演算法區分正常流量與惡意流量,以辨識惡意 DDoS 攻擊。Novaes 等人[65]提出一種多層次的偵測方法,將攻擊偵測分成三個階段。首先,收集網路封包屬性,並計算資訊熵與其他特徵。接著利用 LSTM 模型來預測流量變化,並偵測早期的攻擊行為。最後,再利用模糊邏輯來進一步識別和定位攻擊。Dehkordi 等人 [66] 提出一種混合偵測方法,利用資訊熵與統計分析方法識別與定位異常流量。在偵測模組中,利用多種機器學習演算法,包括 Bayes Net、J48、邏輯迴歸和隨機樹演算法等進行分類,以解決動態臨界值相關的高誤報率問題。Zhang 等人 [67] 提出了一種多層次混合偵測方法。它首先利用資訊熵快速偵測網路流量的變化,接著使用自動編碼器 (SSAE)SVM 架構的多層次偵測模型來識別異常流量。此方法可提高偵測的及時性,同時降低錯誤警報的機率。
Hybrid detection technology ensures that the model has high detection accuracy while also reducing the processing time for classification detection. However, due to the complexity of the model design, multiple functional modules need to be expanded on the controller, and the deployment and maintenance costs require further research and optimization. Furthermore, the multi-level detection mechanism may increase time and computational resource costs.
混合偵測技術在確保模型具有高偵測準確性的同時,也減少了分類偵測的處理時間。然而,由於模型設計的複雜性,需要在控制器上擴充多個功能模組,部署與維護成本需要進一步研究與優化。此外,多層次的偵測機制可能會增加時間與計算資源成本。

5. DDoS Attack Mitigation Techniques in SDN
5.SDN 中的 DDoS 攻擊緩解技術

5.1. Policy-Based DDoS Attack Mitigation Techniques
5.1.政策式 DDoS 攻擊減緩技術

Implementing forwarding policies in switches and controllers, as well as controlling traffic forwarding, filtering, dropping, rate limiting, and redirecting packets, are widely employed techniques for mitigating DDoS attacks. Figure 2 illustrates commonly used policy-based DDoS attack mitigation methods.
在交換器和控制器中實施轉送政策,以及控制流量轉送、過濾、丟失、速率限制和封包重定向,是廣泛使用的 DDoS 攻擊緩解技術。圖 2 說明常用的政策式 DDoS 攻擊緩解方法。

Figure 2. The commonly used policy-based DDoS DDoS DDoS\operatorname{DDoS} attack mitigation methods.
圖 2.常用的政策式 DDoS DDoS DDoS\operatorname{DDoS} 攻擊緩解方法。

The SDN application plane is primarily responsible for implementing various forms of network business logic and strategies. Defenders can mitigate DDoS attacks by implementing authentication policies, conducting traffic monitoring analysis, utilizing NFV, and employing other methods. Singh et al. [68] proposed a scheme called ARDefense for
SDN 應用平面主要負責執行各種形式的網路業務邏輯和策略。防禦者可以透過實施驗證政策、進行流量監控分析、利用 NFV 以及採用其他方法來減緩 DDoS 攻擊。Singh 等人 [68] 提出了一種稱為 ARDefense 的方案,用於

detecting and mitigating DDoS attacks based on NFV and SDN. This approach leverages NFV technology, server migration policies, and IP spoofing techniques to mitigate application layer DDoS attacks. Ali et al. [69] proposed an intrusion prevention system based on three-layer authentication, which includes user authentication, packet authentication, and flow authentication. Packets that cannot be authenticated are refused for forwarding. This approach enhances the defense against DDoS attacks by employing authentication techniques. However, multi-level authentication also has an impact on network performance. Sarwar et al. [70] proposed a traffic forwarding method based on user trust. This method establishes user trust and directs traffic in the queue according to the level of user trust, while discarding unauthorized user traffic.
偵測並減緩基於 NFV 和 SDN 的 DDoS 攻擊。此方法利用 NFV 技術、伺服器遷移政策和 IP 詐欺技術來減緩應用層 DDoS 攻擊。Ali 等人 [69] 提出了一個基於三層認證的入侵防禦系統,包括使用者認證、封包認證和流量認證。無法驗證的封包會被拒絕轉送。此方法透過採用驗證技術,加強了對 DDoS 攻擊的防禦。然而,多層驗證也會影響網路效能。Sarwar 等人 [70] 提出了一種基於使用者信任的流量轉送方法。此方法可建立使用者信任,並根據使用者信任等級將流量導入佇列,同時捨棄未授權的使用者流量。
The SDN controller establishes traffic regulations to prevent the storage and forwarding of malicious traffic within the network. Deng [71] presents a scheme that suggests the implementation of a DoS attack defense method in the controller, utilizing address matching. This method involves the extraction of MAC, IP, and port information from the Packet-In-Packet received by the controller. Subsequently, this information is compared with the network device information. If there is any discrepancy in the information, the packet is discarded. Ravi et al. [72] implemented a traffic control scheme in controllers that relied on a blacklist approach. This method is designed to counter SYN Flood attackers who employ fraudulent IP addresses to initiate their attacks. By performing IP packet analysis, this method detects instances of IP-MAC address spoofing within the network. It then proceeds to blacklist any identified illegal addresses and subsequently discards associated data packets. Cao et al. [73] conducted a study that specifically examined the characteristics of DDoS traffic forwarding. In their research, they employed an RNN model to effectively identify links within the network associated with attack flows. The controller made decisions regarding traffic forwarding by considering factors such as the IP address, hop count, and the router it passed through, while also discarding any malicious traffic.
SDN 控制器會建立流量規範,以防止惡意流量在網路內儲存與轉發。Deng [71] 提出一個方案,建議利用位址比對,在控制器中實施 DoS 攻擊防禦方法。此方法包括從控制器所接收的封包中 (Packet-In-Packet) 擷取 MAC、IP 及埠資訊。之後,這些資訊會與網路裝置資訊進行比對。如果資訊有任何差異,封包會被丟棄。Ravi 等人 [72] 在控制器中實施了一種流量控制方案,該方案依賴於黑名單方法。此方法的設計目的在於對抗 SYN Flood 攻擊者,他們利用虛假的 IP 位址來啟動攻擊。透過執行 IP 封包分析,此方法可偵測網路中的 IP-MAC 位址偽造實例。然後,它會將識別出的非法位址列入黑名單,並隨後丟棄相關的資料封包。Cao 等人 [73] 進行了一項研究,專門檢驗 DDoS 流量轉發的特性。在他們的研究中,他們使用 RNN 模型來有效辨識網路中與攻擊流量相關的連結。控制器透過考慮 IP 位址、跳數和所經由的路由器等因素,做出流量轉送的決策,同時也捨棄任何惡意流量。
SDN data plane Flow Table Overflow DDoS attacks inject traffic slowly into OpenFlow switches, mimicking the characteristics of legitimate users. This results in false positives when using information entropy and machine learning methods to detect such attacks [74]. Bawany et al. [75] implemented an adaptive filtering strategy based on flow rules, which defines three filtering strategies according to network traffic. According to the size and rate of the attack traffic, strategies such as dropping packets, blocking ports, and redirecting data flow were selected to achieve adaptive DDoS attack mitigation. Yuan et al. [76] introduced a peer-to-peer support strategy. When a switch requests a new policy from the controller, the status monitor module facilitates the transfer of the flow to other peer switches. This transfer is based on various parameters, including switch TCAM usage, distance from other switches, and switch busyness. The purpose of this transfer is to alleviate switch storage pressure. Bhushan et al. [77] introduced a flow table space model that is grounded in the queuing theory. When the available space in the flow table of a switch is inadequate, the queuing model is employed to transfer the corresponding flow policies to a switch with sufficient space. This process involves deleting low utilization policies to prevent overflow in the flow table. Katta et al. [78] conducted an optimization study on the storage strategy of switch flow tables. Dang et al. [79] mitigated DDoS attacks by implementing timeout policies. When the network controller detects a high volume of TCP semi-connected packets, it adjusts the timeout rule according to changes in network traffic, promptly discards semi-connected packets in the flow table, and implements a blacklist mechanism to reject malicious traffic packets. They achieved the objective of expanding the storage space by reducing unnecessary storage content [80], taking into consideration the dependency relationship among flow table items [81].
SDN 資料平面流量表溢出 DDoS 攻擊會模仿合法使用者的特性,將流量緩慢地注入 OpenFlow 交換器。在使用資訊熵和機器學習方法偵測此類攻擊時,這會造成誤判 [74]。Bawany 等人 [75] 實作了一種基於流量規則的自適應過濾策略,根據網路流量定義了三種過濾策略。根據攻擊流量的大小和速率,選擇丟棄封包、封鎖埠和重定向資料流等策略,以達到自適應性 DDoS 攻擊減緩的目的。Yuan 等人[76]提出了點對點支援策略。當交換器向控制器請求新的政策時,狀態監視器模組會促進流量轉移到其他對等交換器。這種傳輸是基於各種參數,包括交換器 TCAM 使用量、與其他交換器的距離,以及交換器的忙碌程度。此轉移的目的是為了減輕交換器的儲存壓力。Bhushan 等人 [77] 提出了一個以佇列理論為基礎的流量表空間模型。當交換器流量表的可用空間不足時,就會運用佇列模型將相對應的流量政策轉移到有足夠空間的交換器。此過程會刪除使用率低的政策,以防止流量表溢出。Katta 等人[78] 對交換器流量表的儲存策略進行了最佳化研究。Dang 等人[79] 透過實施逾時政策來減緩 DDoS 攻擊。 當網路控制器偵測到大量的 TCP 半連線封包時,會根據網路流量的變化調整逾時規則,及時丟棄流量表中的半連線封包,並實施黑名單機制拒絕惡意的流量封包。他們透過減少不必要的儲存內容,達到擴充儲存空間的目的[80],並考慮到流量表項目的依賴關係[81]。
Attackers typically launch DDoS attacks on links in the SDN control plane and data plane, disrupting normal traffic forwarding. Zakaria et al. [82] proposed a rate-limiting strategy for mitigating reflective DDoS attacks. This strategy employs statistical analysis and machine learning methods to identify malicious traffic characteristics and establish ratelimiting policies to reduce the forwarding of packets with malicious traffic characteristics.
攻擊者通常會對 SDN 控制平面和資料平面的連結發動 DDoS 攻擊,中斷正常的流量轉送。Zakaria 等人 [82] 提出了一種速率限制策略,用於緩解反射式 DDoS 攻擊。此策略採用統計分析和機器學習方法來識別惡意流量特徵,並建立速率限制政策,以減少具有惡意流量特徵的封包轉送。
Hong et al. [83] proposed a dynamic routing defense strategy that utilizes information entropy and a dynamic threshold to detect and locate abnormal traffic hosts in the network. The unusual host traffic is redistributed based on the network channel’s capacity to reduce the link congestion caused by individual target DDoS attacks. Kalkan et al. [25] proposed a traffic filtering strategy called SDNScore for mitigating link DDoS attacks. This strategy utilizes statistical methods to analyze the characteristics of traffic packets, such as IP, port, and TTL and assesses the similarity of traffic. The controller filters the attack traffic based on its traffic score. Alamri et al. [84] proposed a bandwidth limitation algorithm. In this algorithm, the SDN controller detects when the traffic on a specific link exceeds a threshold, dynamically adjusts the traffic limit of the link using a bandwidth adjustment factor, and activates a traffic detection module based on the XGBoost algorithm to identify malicious traffic. Wang et al. [85] developed a global search algorithm based on an SDN controller to detect and identify congested links to link Flooding attacks. To manage congested links, methods such as blocking and discarding abnormal data packets are employed to protect against DDoS attacks.
Hong 等人[83]提出一種動態路由防禦策略,利用資訊熵與動態臨界值偵測與定位網路中的異常流量主機。異常主機流量會根據網路通道的容量重新分配,以減少個別目標 DDoS 攻擊造成的連結壅塞。Kalkan 等人 [25] 提出一種名為 SDNScore 的流量過濾策略,用來減緩連結 DDoS 攻擊。此策略利用統計方法分析流量封包的特徵,例如 IP、連接埠和 TTL,並評估流量的相似性。控制器會根據流量分數過濾攻擊流量。Alamri 等人 [84] 提出了一種頻寬限制演算法。在此演算法中,SDN 控制器會偵測特定連結上的流量是否超過臨界值,使用頻寬調整因子動態調整連結的流量限制,並啟動基於 XGBoost 演算法的流量偵測模組,以識別惡意流量。Wang 等人[85] 開發了一種基於 SDN 控制器的全局搜尋演算法,以偵測和識別壅塞連結的連結 Flooding 攻擊。為了管理擁塞的連結,採用了封鎖和丟棄異常資料封包等方法來抵禦 DDoS 攻擊。
Policy-based methods can be easily implemented on the network and have a negligible effect on resources. However, this approach is susceptible to inducing regular traffic loss and necessitates the accurate identification of malicious traffic through detection techniques. Defenders are required to establish forwarding policies that are tailored to the specific characteristics of network attacks, with the aim of rejecting any malicious traffic. Due to the implementation of SDN network policies, it is observed that there are still instances of malicious flow table entries being generated by attack flows within the switch. In addition to restricting traffic forwarding, it is imperative to cleanse the entries in the switch flow [27].
以政策為基礎的方法可以輕鬆地在網路上實作,而且對資源的影響微乎其微。然而,這種方法容易誘發定期流量損失,而且必須透過偵測技術準確辨識惡意流量。防禦者需要針對網路攻擊的具體特性建立轉發政策,目的是拒絕任何惡意流量。由於 SDN 網路政策的實施,觀察到仍有惡意流量表項在交換器內由攻擊流量產生的情況。除了限制流量轉送之外,還必須清除交換器流量中的詞條 [27]。

5.2. Moving Target Defense Technology
5.2.移動目標防禦技術

With the continuous evolution of attacker-attack methods, traditional network defense methods such as blocking and killing are becoming increasingly ineffective in achieving real-time defense. Additionally, these methods have clear shortcomings when it comes to dealing with DDoS attacks. Moving target defense (MTD), as an emerging network security defense strategy, has changed the passive nature of defense in traditional network attacks and often achieves positive outcomes when responding to such attacks [86]. Due to network programmability and the centralized control of logic, SDN can easily deploy moving target defense strategies to cope with DDoS attacks. The end information jump strategy enables the dynamic change in host information in the SDN data plane and provides protection against DDoS attacks in the data plane.
隨著攻擊者攻擊方式的不斷演進,傳統的網路防禦方法(如封鎖和查殺)在實現即時防禦方面越來越無效。此外,在應對 DDoS 攻擊時,這些方法也有明顯的缺點。移動目標防禦 (MTD),作為一種新興的網路安全防禦策略,改變了傳統網路攻擊中防禦的被動性,在應對此類攻擊時往往能取得積極的效果[86]。由於網路的可程式化與邏輯的集中控管,SDN 可以輕鬆部署動態目標防禦策略來應付 DDoS 攻擊。末端資訊跳轉策略可讓 SDN 資料平面的主機資訊動態變化,並提供資料平面的 DDoS 攻擊防護。

5.2.1. Port Address Hopping-Based Defense Technology
5.2.1.以埠位址跳躍為基礎的防禦技術

The concept of Port Address Hopping (PAH) defense technology originated from the APOD project of the US military in 2003 [87]. Shi et al. [88] introduced the effectiveness of end information hop in defending against DoS attacks and established a mixed hop communication network using the Java language. This network includes features such as the port, address, service time slot, and encryption algorithm. The availability of the network was verified by simulating SYN Flood attacks. By comparing this with non-jump systems, the effectiveness of end information jump in resisting DoS attacks is demonstrated.
埠位址跳轉(Port Address Hopping,PAH)防禦技術的概念源於 2003 年美國軍方的 APOD 計畫[87]。Shi 等人[88] 介紹了終端資訊跳躍在防禦 DoS 攻擊的有效性,並使用 Java 語言建立了一個混合跳躍的通訊網路。這個網路包含了連接埠、位址、服務時段、加密演算法等功能。透過模擬 SYN Flood 攻擊,驗證了網路的可用性。透過與非「跳躍」系統的比較,證明了終端資訊跳躍在抵抗 DoS 攻擊上的有效性。
Port hopping is a relatively simple and effective method for deploying end-to-end information hopping. Badishi et al. [89] proposed a port-hopping protocol that filters packets based on packet addresses and port numbers to mitigate DoS attacks. Zhang et al. [90] proposed a port hopping scheme called PH-DM, which was implemented in SDN controllers to enable random port hopping in communication. The synchronization between the sender and receiver was achieved through a timestamp feedback-based synchronization method, enabling smooth communication. The MASON framework, proposed by Chowdhary et al. [91], first performed threat scoring on the system to identify high-risk services and hosts. It then deployed port-hopping strategies. This plan was highly targeted and had a strong defense against vulnerable SDN protection devices. Compared to blind jumps, it
連接埠跳躍是部署端對端資訊跳躍相對簡單有效的方法。Badishi 等人[89] 提出了一種埠跳通訊協定,可根據封包位址和埠號來過濾封包,以減緩 DoS 攻擊。Zhang 等人[90] 提出了一種名為 PH-DM 的埠跳躍方案,並在 SDN 控制器中實作,以實現通訊中的隨機埠跳躍。傳送者與接收者之間的同步是透過以時間戳回饋為基礎的同步方法來達成,使通訊得以順暢進行。Chowdhary 等人提出的 MASON 框架 [91],首先對系統進行威脅評分,以識別高風險服務和主機。然後部署埠跳轉策略。此計畫具有高度的針對性,對於易受攻擊的 SDN 保護裝置有很強的防禦能力。與盲跳相比,它

has a smaller impact on the network. However, there is insufficient consideration given to the security of jump synchronization, and further design is needed for the evaluation method of network threats. Zhao et al. [92] proposed an encryption strategy that enhanced the Diffie Hellman algorithm by incorporating port hopping. This approach ensures the randomness of the hopping port and the confidentiality of the synchronization process, effectively guaranteeing the security and confidentiality of the SDN network.
對網路的影響較小。然而,對於跳躍同步的安全性考慮不足,需要進一步設計網路威脅的評估方法。Zhao 等人[92] 提出了一種加密策略,透過結合跳埠來增強 Diffie Hellman 演算法。此方法可確保跳轉埠的隨機性與同步過程的機密性,有效地保證 SDN 網路的安全性與機密性。
Port hopping does not require modifying existing protocols, but strict synchronization rules need to be established between the sender and the receiver. Establishing synchronization rules poses a challenge for implementing hopping methods. Based on the characteristics of centralized control in SDN, deploying port hopping rules in SDN controllers can enhance network security. When attackers launch DDoS attacks against specific ports, it can be challenging to provide effective protection. At the same time, this strategy also has a defensive effect on port scanning by attackers. However, if the security of the jump strategy design is insufficient, attackers can obtain jump rules based on multiple information collections, rendering the jump strategy ineffective. When deploying port hop rules in SDN, it is also necessary to consider how port hop traffic can smoothly pass through firewalls and address other related issues.
埠跳躍不需要修改現有通訊協定,但需要在傳送者和接收者之間建立嚴格的同步規則。建立同步規則對於跳躍方法的實施構成挑戰。基於 SDN 集中控制的特性,在 SDN 控制器中部署跳埠規則可以增強網路安全性。當攻擊者針對特定連接埠發動 DDoS 攻擊時,要提供有效的防護會是一項挑戰。同時,此策略對於攻擊者的連接埠掃描也有防禦作用。然而,如果跳躍策略設計的安全性不足,攻擊者就可以根據多個資訊集合取得跳躍規則,使跳躍策略失效。在 SDN 中部署連接埠跳轉規則時,還需要考慮連接埠跳轉流量如何順利通過防火牆,以及解決其他相關問題。
Port hopping, to a certain degree, mitigates DDoS attacks targeting specific ports. However, attackers can still execute DDoS attacks by crafting packets originating from the IP address of the target. In order to bolster the system’s defense capabilities against intricate threats posed by attackers, the concept of address hopping is put forth. Under the address jump rule, both communication parties modify their IP address information in accordance with predetermined rules. Only data containing accurate IP address information can be transmitted to the designated destination address, thereby providing an effective defense against external DDoS attacks. Reference [93] introduced the concept of hybrid network address hopping in computer networks as a means to augment the security of data transmission. By conducting computer simulations of the NAH system, it was confirmed that this system exhibits superior anti-interference capabilities and ensures enhanced confidentiality during the transmission of network data. Taking advantage of the independent control plane offered by SDN, the address jump strategy can be implemented within SDN controllers. Zheng et al. [94] proposed a scheme for address hopping in SDN, where the flow table entries of the hop IP are allocated to the OpenFlow switch via an SDN controller. The switch verifies the accuracy of the system’s message transmission by confirming the source IP and destination IP of the message and subsequently executes matching forwarding. When the packet traffic of a specific address surpasses a predetermined threshold, it initiates the next address jump, prompting the controller to reallocate the flow table information in order to effectively evade potential attacks. Tu et al. [95] proposed a novel address jump scheme for chaotic sequences. This scheme utilizes chaotic sequences as the foundation for generating address jump patterns, effectively addressing the issue of vulnerability to static jump rule cracking. Reference [96] implemented the address jump rule on SDN switches and terminal nodes, resulting in a reduction in the controller load and network overhead. At present, the integration of address hopping with deep learning algorithms enables the attainment of adaptive hopping. Reference [97] suggests the utilization of CNN detectors for the purpose of detecting attacker behavior and promptly initiating address jumps. Compared to conventional jump rules, this scheme demonstrates a higher level of specificity and the ability to incorporate attacker behavior in order to dynamically adapt the jumping process. Consequently, this approach effectively mitigates the system overhead resulting from address jumps. Reference [98] presents an SDN address hopping algorithm that utilizes flow counting synchronization to achieve adaptive address hopping according to network traffic patterns. At the same time, the security of the transmitted information is guaranteed by employing RSA verification, thereby enhancing the system’s resilience against DDoS attacks.
埠跳轉在某種程度上可以減緩針對特定埠的 DDoS 攻擊。然而,攻擊者仍可透過製作源自目標 IP 位址的封包來執行 DDoS 攻擊。為了加強系統的防禦能力,以對抗攻擊者所構成的複雜威脅,我們提出了位址跳躍的概念。在位址跳躍規則下,通訊雙方會依照預先設定的規則修改其 IP 位址資訊。只有包含精確 IP 位址資訊的資料才能傳輸至指定的目的位址,從而有效防禦外部 DDoS 攻擊。參考文[93]介紹了電腦網路中混合網路位址跳躍的概念,作為增強資料傳輸安全性的一種手段。透過對 NAH 系統進行電腦模擬,證實此系統具有優異的抗干擾能力,並可確保網路資料傳輸過程中的保密性。利用 SDN 提供的獨立控制平面,位址跳轉策略可在 SDN 控制器中實現。Zheng 等人[94]提出了 SDN 中的位址跳躍方案,跳躍 IP 的流量表項經由 SDN 控制器分配給 OpenFlow 交換機。交換機透過確認訊息的來源 IP 和目的 IP 來驗證系統訊息傳輸的正確性,並隨後執行匹配轉發。當特定位址的封包流量超過預設的臨界值時,會啟動下一個位址跳轉,促使控制器重新分配流量表資訊,以有效規避潛在的攻擊。Tu et al. [95]提出了一種新穎的混沌序列位址跳轉方案。此方案利用混沌序列作為產生位址跳轉模式的基礎,有效解決易受靜態跳轉規則破解的問題。參考文獻[96]在 SDN 交換器和終端節點上實現了位址跳轉規則,從而降低了控制器負載和網路開銷。目前,位址跳轉與深度學習演算法的整合可達到自適應性跳轉的目的。參考文獻 [97] 建議利用 CNN 偵測器來偵測攻擊者行為,並迅速啟動位址跳轉。相較於傳統的跳轉規則,此方案展現出更高層級的特異性,並能結合攻擊者行為,以動態調整跳轉程序。因此,此方法可有效降低位址跳轉所造成的系統開銷。參考文獻[98]提出了一種 SDN 位址跳躍演算法,利用流量計數同步來根據網路流量模式實現自適應的位址跳躍。同時,透過採用 RSA 驗證,保證了傳輸資訊的安全性,從而增強了系統對 DDoS 攻擊的抵禦能力。
Deploying address-hopping strategies in SDN can provide a certain level of defense against DDoS attacks. However, it remains challenging to accurately differentiate between
在 SDN 中部署位址跳轉策略可以在一定程度上抵禦 DDoS 攻擊。然而,準確區分

legitimate and malicious traffic, as well as guarantee the normal forwarding of traffic. In the context of address jump rules, the magnitude of the address space also plays a role in determining the efficacy of defense mechanisms. For certain targeted network attacks, the implementation of address-hopping strategies can be employed in conjunction with honeypots or intrusion detection devices to not only achieve defensive effects but also facilitate the deception and tracing of attackers [99].
合法與惡意流量,並保證流量的正常轉送。在位址跳躍規則方面,位址空間的大小也對防禦機制的效能起決定性的作用。對於某些有針對性的網路攻擊,位址跳躍策略的實施可以與誘捕系統或入侵偵測裝置結合使用,不僅能達到防禦效果,還能方便欺騙和追蹤攻擊者[99]。
Hybrid hopping integrates various information mutation techniques to enhance defensive efficacy. Shi et al. [100] introduced a novel active network defense technology that utilizes mixed-end information hopping. This approach enables simultaneous port and address hopping during communication while ensuring information synchronization through an end information-expanding synchronization strategy. As a result, high-speed Port Address Hopping is achieved. This method guarantees the availability of the system, even when faced with multiple DDoS attacks. Hu et al. [101] introduced a novel moving target defense scheme that utilizes the OpenFlow protocol. The proposed scheme involves the dynamic alteration of IP addresses at each hop of the OpenFlow switch, the implementation of port hopping in inter-domain networks, and the synchronization of information through a dedicated synchronization server. This methodology can be implemented not only in SDN environments but also in conventional networks that are equipped with OpenFlow switches. This method demonstrates a robust defense mechanism against DDoS attacks targeting specific nodes while also offering a relatively straightforward deployment process. The AEH-MTD technology proposed in reference [102] employs the entropy method to identify various types of DDoS attacks. It determines the information jump period by assessing whether the attacker is engaged in blind attacks. This approach ensures optimal defense effectiveness while minimizing the impact of jump rules on system availability. Additionally, it aims to limit the attacker’s access to useful information, thereby providing a robust defense against diverse attack types.
混合跳躍整合了各種資訊突變技術,以提升防禦效能。Shi 等人[100] 提出了一種新穎的主動式網路防禦技術,利用混合端資訊跳躍技術。此方法可在通訊期間同時進行連接埠與位址跳躍,同時透過端點資訊擴充同步策略確保資訊同步。因此,實現了高速埠地址跳躍。即使面對多重 DDoS 攻擊,此方法也能保證系統的可用性。Hu 等人[101] 利用 OpenFlow 通訊協定提出了新穎的移動目標防禦方案。所提出的方案涉及在 OpenFlow 交換器的每一跳動態改變 IP 位址、在網域間網路實現埠跳躍,以及透過專用同步伺服器進行資訊同步。此方法不僅可以在 SDN 環境中實作,也可以在配備 OpenFlow 交換器的傳統網路中實作。此方法展示了針對特定節點的 DDoS 攻擊的強大防禦機制,同時也提供了相對簡單的部署流程。參考文獻 [102] 中提出的 AEH-MTD 技術採用熵方法來識別各種類型的 DDoS 攻擊。它透過評估攻擊者是否進行盲目攻擊來決定資訊跳躍期。此方法可確保最佳的防禦效能,同時將跳躍規則對系統可用性的影響降至最低。此外,它的目的是限制攻擊者存取有用資訊的機會,從而提供對各種攻擊類型的強大防禦。
The comparative analysis for the mitigation approaches based on hopping technology is shown in Table 5. Given the varied manifestations and high level of obfuscation associated with DDoS attacks, it is insufficient to rely solely on end information hopping as a means of achieving optimal defense effectiveness. Simultaneously, the implementation of port address information hop technology necessitates the development of robust synchronization techniques by defenders in order to ensure uninterrupted network availability [103]. In order to enhance the protection against security threats posed by attackers, it is imperative to integrate the end-to-end information hop strategy with other dynamic defense strategies. This can be achieved by leveraging cutting-edge technology to devise and implement a robust architecture and information space. By continuously altering the attack surface, the attacker’s assault maneuvers can be rendered ineffective and exposed, thereby accomplishing the objective of countering DDoS attacks and upholding system security.
基於跳躍技術的緩解方法的比較分析如表 5 所示。鑑於 DDoS 攻擊的表現形式多樣且具有高度的混淆性,因此僅依賴終端資訊跳轉來達到最佳防禦效果是不足夠的。與此同時,埠位址資訊跳轉技術的實施需要防禦者發展強大的同步技術,以確保網路的不間斷可用性 [103]。為了加強防禦攻擊者所造成的安全威脅,必須將端對端資訊跳轉策略與其他動態防禦策略整合。要達到這個目標,可以利用尖端技術來設計和實施強大的架構和資訊空間。透過持續改變攻擊面,可使攻擊者的攻擊手法失效並暴露,從而達到對抗 DDoS 攻擊和維護系統安全的目標。
Table 5. Comparative analysis of network hopping technology.
表 5.網路跳躍技術的比較分析。
Tactics  戰術 Strengths  優勢 Weaknesses  弱點 References  參考資料
  跳港
Port
hopping
Port hopping| Port | | :---: | | hopping |

無需修改通訊協定 簡單部署
No protocol modification required
Simple deployment
No protocol modification required Simple deployment| No protocol modification required | | :---: | | Simple deployment |

差勁的 DDoS 攻擊防禦能力容易發現跳躍規則
Poor DDoS attack
defense capability
easy to discover hopping rule
Poor DDoS attack defense capability easy to discover hopping rule| Poor DDoS attack | | :---: | | defense capability | | easy to discover hopping rule |
[89-92]
  IP 位址跳躍
IP address
hopping
IP address hopping| IP address | | :---: | | hopping |

無需修改通訊協定 良好的 DDoS 攻擊防禦能力
No protocol modification required
Good DDoS attack defense capability
No protocol modification required Good DDoS attack defense capability| No protocol modification required | | :---: | | Good DDoS attack defense capability |

實作相對複雜 小跳躍位址空間
Implementation is
relatively complex
Small hopping address space
Implementation is relatively complex Small hopping address space| Implementation is | | :---: | | relatively complex | | Small hopping address space |
[94-98]
  混合跳躍
Hybrid
hopping
Hybrid hopping| Hybrid | | :---: | | hopping |
difficult to discover hopping rule
難以發現跳躍規則

部署困難 部署成本高 終端時間長
Difficulty in deployment
High deployment cost
Terminal time
Difficulty in deployment High deployment cost Terminal time| Difficulty in deployment | | :---: | | High deployment cost | | Terminal time |
[100-102]

同步問題 Ropping
synchronization issue
Ropping
synchronization issue Ropping| synchronization issue | | :---: | | Ropping |
Can defend against link layer
可防禦連結層

修改通訊協定所需的執行複雜度 對網路可用性的影響
Protocol modification required
implementation complexity
Doppact on network availability
Protocol modification required implementation complexity Doppact on network availability| Protocol modification required | | :---: | | implementation complexity | | Doppact on network availability |
[104,105]
Tactics Strengths Weaknesses References "Port hopping" "No protocol modification required Simple deployment" "Poor DDoS attack defense capability easy to discover hopping rule" [89-92] "IP address hopping" "No protocol modification required Good DDoS attack defense capability" "Implementation is relatively complex Small hopping address space" [94-98] "Hybrid hopping" difficult to discover hopping rule "Difficulty in deployment High deployment cost Terminal time" [100-102] "synchronization issue Ropping" Can defend against link layer "Protocol modification required implementation complexity Doppact on network availability" [104,105]| Tactics | Strengths | Weaknesses | References | | :---: | :---: | :---: | :---: | | Port <br> hopping | No protocol modification required <br> Simple deployment | Poor DDoS attack <br> defense capability <br> easy to discover hopping rule | [89-92] | | IP address <br> hopping | No protocol modification required <br> Good DDoS attack defense capability | Implementation is <br> relatively complex <br> Small hopping address space | [94-98] | | Hybrid <br> hopping | difficult to discover hopping rule | Difficulty in deployment <br> High deployment cost <br> Terminal time | [100-102] | | synchronization issue <br> Ropping | Can defend against link layer | Protocol modification required <br> implementation complexity <br> Doppact on network availability | [104,105] |

5.2.2. Other Moving Target Defense Technology
5.2.2.其他移動目標防禦技術

A crossfire DDoS attack is an emerging form of cyber-attack that specifically targets crucial network links. Traditional defense mechanisms, such as host information hop strategies, have proven to be ineffective in countering this type of attack. The routing reconstruction strategy mitigates DDoS attacks against links by adjusting the link structure. Xie et al. [104] introduced a dynamic routing jump defense strategy as a response to crossfire attacks. This scheme was implemented in SDN controllers, and it facilitated the reconfiguration of routing for a specific link in order to mitigate link attacks when abnormal traffic was detected. Liu et al. [105] introduced a routing hop strategy that utilized the OpenFlow protocol. This scheme aims to establish a matrix of traffic characteristic entropy by collecting network traffic data in order to detect and identify network anomalies. This triggers route mutation based on the results of anomaly detection. It utilizes an enhanced ant colony algorithm for the purpose of generating novel routing paths, thereby achieving the capability to withstand DDoS attacks. This scheme employs a jump strategy that relies on detecting abnormal traffic conditions. However, it is important to note that a short reconstruction cycle can also have an impact on network availability. Route reconstruction serves as a preventive measure against the expansion of the attackers’ attack range by leveraging known routes. Additionally, they possess a defensive capability against linklayer DDoS attacks. Traffic redirection technology protects the target host by diverting the attack traffic. Hyder et al. [106] proposed a moving target defense technology scheme based on traffic redirection for crossfire DDoS attacks. This scheme utilizes NFV technology to redirect the traffic of the attacked link to the shadow host, achieving the goal of mitigating the attack.
交叉火力 DDoS 攻擊是一種新興的網路攻擊形式,專門針對重要的網路連結。傳統的防禦機制,例如主機資訊跳轉策略,已被證明無法有效對抗此類型的攻擊。路由重組策略透過調整連結結構來減緩針對連結的 DDoS 攻擊。Xie 等人 [104] 提出了動態路由跳轉防禦策略,作為對交火攻擊的回應。此方案在 SDN 控制器中實作,當偵測到異常流量時,可促進針對特定連結的路由重組,以減緩連結攻擊。Liu 等人[105]介紹了一種利用 OpenFlow 通訊協定的路由跳躍策略。此方案旨在透過收集網路流量資料,建立流量特徵熵矩陣,以偵測並辨識網路異常。這會根據異常偵測的結果觸發路由突變。它利用增強的蟻群演算法來產生新的路由路徑,從而達到抵禦 DDoS 攻擊的能力。此方案採用依賴於偵測異常流量狀況的跳躍策略。然而,值得注意的是,較短的重建週期也會對網路可用性造成影響。路由重建可作為一種預防措施,利用已知的路由來防止攻擊者擴大攻擊範圍。此外,它們還擁有對抗連結層 DDoS 攻擊的防禦能力。流量轉向技術可透過轉移攻擊流量來保護目標主機。Hyder 等人[106]針對交火式 DDoS 攻擊提出了一種基於流量重定向的移動目標防禦技術方案。 此方案利用 NFV 技術,將受攻擊連結的流量重定向至影子主機,達到減緩攻擊的目的。
In light of DDoS attacks in SDN, a moving target defense approach rooted in game theory is employed to determine the most effective defense strategy for the defending party, taking into consideration the prevailing network conditions, with the aim of achieving equilibrium. Chowdhary et al. [107] proposed a model that conceptualizes DDoS attacks as a dynamic game process involving both attackers and defenders. The researchers devised defense rules, as well as reward and punishment mechanisms, with the aim of identifying the optimal strategy for minimizing network bandwidth consumption and mitigating the impact of DDoS attacks. This scheme is dependent on the utilization of Snort for the purpose of intruder detection. However, it was observed that attackers have the ability to circumvent the intrusion detection system by adhering to specific rules, thereby rendering defense strategies ineffective. Zhou et al. [108] aimed to mitigate the issue of high cost associated with MTD defense methods by proposing the utilization of multi-objective Markov decision processes for the development of MTD strategies. This scheme not only takes into account network attackers and defenders but also integrates legitimate users into the game process, achieving an optimal balance between the cost and benefit of the shuffle-based MTD strategy. This particular game model necessitates early training in order to attain convergence, heavily relies on pre-existing knowledge, and is unable to achieve optimal defense against novel DDoS attacks. Du et al. [109] applied the game theory to enhance honeypot-based DDoS attack defense technology. This article first proposes a twofold honeypot strategy for SDN based on the game theory from the perspective of attackers. The defender sets up a pseudo honeypot game to lure attackers, constantly adapts the pseudo honeypot to protect against FTP flow and SYN Flood attacks in the network, and strikes a balance between resource usage and defense effectiveness. Priyadarsini et al. [110] designed a trust value controller attack detection (TCAD) model based on the signal game theory. This model constructs trust values based on changes in switch traffic, distinguishes normal users and attackers based on trust values, and achieves the goal of detecting and mitigating DDoS attacks.
針對 SDN 中的 DDoS 攻擊,採用植根於博弈理論的移動目標防禦方法,在考量當時網路狀況的情況下,決定防禦方最有效的防禦策略,以達到平衡為目標。Chowdhary 等人 [107] 提出了一個模型,將 DDoS 攻擊概念化為攻守雙方都參與的動態博弈過程。研究人員設計了防禦規則以及獎懲機制,目的是找出最佳策略,以盡量減少網路頻寬消耗並減輕 DDoS 攻擊的影響。此方案依賴於利用 Snort 來偵測入侵者。但據觀察,攻擊者有能力透過遵守特定規則來規避入侵偵測系統,進而使防禦策略失效。Zhou 等人 [108] 針對 MTD 防禦方法的高成本問題,提出利用多目標馬可夫決策過程來發展 MTD 策略。此方案不僅考慮到網路攻擊者和防禦者,還將合法使用者整合到博弈過程中,達到基於洗牌的 MTD 策略的成本與收益之間的最佳平衡。這個特殊的博弈模型需要早期訓練才能達到收斂,嚴重依賴於已有的知識,無法達到對新型 DDoS 攻擊的最佳防禦。Du 等人[109] 應用博弈理論來強化以誘捕系統為基礎的 DDoS 攻擊防禦技術。本文首先從攻擊者的角度出發,以博弈論為基礎,提出 SDN 的雙重誘捕策略。 防禦者設置偽誘捕(Pseudo Honeypot)遊戲引誘攻擊者,不斷調整偽誘捕以防禦網路上的 FTP 流量與 SYN Flood 攻擊,並在資源使用與防禦效果之間取得平衡。Priyadarsini 等人[110] 以訊號博弈理論為基礎,設計了信任值控制器攻擊偵測 (TCAD) 模型。此模型依據交換器流量的變化來建構信任值,並依據信任值區分正常使用者與攻擊者,達到偵測與減緩 DDoS 攻擊的目標。
The game theory model does not propose novel defense measures against DDoS attacks; rather, it emphasizes the importance of striking a balance between the costs and benefits associated with existing DDoS defense strategies. The game process is dependent on the modeling of past attackers’ behavior, and the effectiveness of defense against new
博弈論模型並未針對 DDoS 攻擊提出新穎的防禦措施,而是強調在現有 DDoS 防禦策略的相關成本與效益之間取得平衡的重要性。博弈過程取決於過去攻擊者行為的建模,以及針對新攻擊的防禦效果。
DDoS attacks is suboptimal. Currently, the predominant moving target defense strategies in game-based scenarios are primarily static in nature. These strategies fail to fully account for the dynamic and multi-stage nature of the attack and defense confrontation between attackers and defenders. Deploying real-world networks does not allow for the attainment of optimal decisions in the context of multi-stage network attacks.
DDoS 攻擊是次優策略。目前,以遊戲為基礎的情境中,主要的移動目標防禦策略都是以靜態為主。這些策略無法充分考量攻守雙方攻防對峙的動態多階段性質。部署真實世界的網路無法在多階段網路攻擊的情況下達到最佳決策。
The relevant comparisons of moving target defense technologies are presented in Table 6. Moving target defense technology through constantly changing protection strategies or system configurations can make it difficult for attackers to identify effective target points and focus their firepower on saturation attacks against a single target. However, the requirement for the real-time monitoring of network conditions and the need to respond swiftly to changes in moving target defense technology result in increased computational resource consumption and a decrease in overall network performance. Currently, there is no standardized and mature solution for moving target defense technology, and the synchronization issue of network devices is a significant challenge that impacts the application of this technology.
表 6 列出了移動目標防禦技術的相關比較。移動目標防禦技術透過不斷改變的防護策略或系統組態,可使攻擊者難以辨識有效的目標點,並集中火力對單一目標進行飽和攻擊。然而,由於需要即時監控網路狀況,以及需要迅速回應移動目標防禦技術的變更,因此會增加計算資源消耗,並降低整體網路效能。目前,移動目標防禦技術還沒有標準化的成熟解決方案,網路設備的同步問題是影響該技術應用的重大挑戰。
Table 6. Comparative analysis of the moving target defense technology.
表 6.移動目標防禦技術的比較分析。
Tactics  戰術 Strengths  優勢 Weaknesses  弱點 References  參考資料
Port address hopping  埠位址跳躍 No protocol modification required Simple deployment
無需修改通訊協定 簡單部署
Poor DDoS attack defense capability Easy to discover hopping rule
DDoS 攻擊防禦能力差 容易發現跳躍規則
[89-102]
Routing reconstruction  路由重建 Can defend against link layer DDoS attacks
可防禦連結層 DDoS 攻擊
Protocol modification required implementation complexity impact on network availability
需要修改通訊協定,執行複雜性會影響網路可用性
[104,105]
Shadow host/Honeypot  影子主機/蜜罐 Can identify attack types Traceable attacker
可識別攻擊類型 可追蹤攻擊者
Possible identification by attackers
攻擊者可能識別
[106,109]
Game theory  博弈論 Game strategy can deceive attackers and diminish attack effectiveness.
遊戲策略可以欺騙攻擊者,降低攻擊效果。

需要開發攻擊模型。它需要與其他防禦策略結合使用。
An attack model needs to be developed.
It needs to be used in conjunction with other defense strategies.
An attack model needs to be developed. It needs to be used in conjunction with other defense strategies.| An attack model needs to be developed. | | :--- | | It needs to be used in conjunction with other defense strategies. |
[107-110]
Tactics Strengths Weaknesses References Port address hopping No protocol modification required Simple deployment Poor DDoS attack defense capability Easy to discover hopping rule [89-102] Routing reconstruction Can defend against link layer DDoS attacks Protocol modification required implementation complexity impact on network availability [104,105] Shadow host/Honeypot Can identify attack types Traceable attacker Possible identification by attackers [106,109] Game theory Game strategy can deceive attackers and diminish attack effectiveness. "An attack model needs to be developed. It needs to be used in conjunction with other defense strategies." [107-110]| Tactics | Strengths | Weaknesses | References | | :---: | :---: | :---: | :---: | | Port address hopping | No protocol modification required Simple deployment | Poor DDoS attack defense capability Easy to discover hopping rule | [89-102] | | Routing reconstruction | Can defend against link layer DDoS attacks | Protocol modification required implementation complexity impact on network availability | [104,105] | | Shadow host/Honeypot | Can identify attack types Traceable attacker | Possible identification by attackers | [106,109] | | Game theory | Game strategy can deceive attackers and diminish attack effectiveness. | An attack model needs to be developed. <br> It needs to be used in conjunction with other defense strategies. | [107-110] |

6. Experiment Environment Analysis of the Literature
6.實驗環境文獻分析

In the literature reviewed above, significant progress has been made in technical methods and theory. However, there are notable variations in the construction and standardization of experimental environments. For example, some studies are based on singlecontroller architecture SDN simulation experiments, while others extend the experimental environment to multi-controller SDN. There are also significant differences in the selection of traffic generation tools among different studies, ranging from Scapy and Hping3 to customized Botnet simulators, etc. Additionally, there is diversity in modeling attack scenarios, setting network size, and selecting performance indicators. This section analyzes the common experimental environments and existing problems from the perspectives of simulators and controllers, DDoS DDoS DDoS\operatorname{DDoS} traffic generators, and the datasets used in these literature experiments.
在上文所回顧的文獻中,技術方法和理論都有顯著的進步。然而,在實驗環境的建構與標準化方面,卻有明顯的差異。例如,有些研究以單控制器架構 SDN 模擬實驗為基礎,有些則將實驗環境擴展至多控制器 SDN。不同研究在流量產生工具的選擇上也有顯著差異,從 Scapy、Hping3 到客製化的 Botnet 模擬器等。此外,在建模攻擊情境、設定網路規模和選擇效能指標方面也有差異。本節將從模擬器與控制器、 DDoS DDoS DDoS\operatorname{DDoS} 流量產生器,以及這些文獻實驗所使用的資料集等角度,分析常見的實驗環境與現有問題。

6.1. SDN Simulator and Controller
6.1.SDN 模擬器與控制器

In terms of selecting a simulator and experimental environment, over 90 % 90 % 90%90 \% of the literature opts for Mininet as the experimental platform. Mininet is a lightweight network virtualization tool that leverages the namespaces provided by the Linux kernel, virtual Ethernet devices, and Open vSwitch technology to create a comprehensive SDN environment. It is suitable for rapidly constructing and testing SDN as well as deploying associated applications. The literature [69] uses OMNeT + + OMNeT + + OMNeT++\mathrm{OMNeT}++ as a simulation tool. Compared to Mininet, OMNeT++ has the ability to redefine network layers and protocols, making it suitable for complex network models and capable of handling large-scale and detailed network
在選擇模擬器和實驗環境方面,超過 90 % 90 % 90%90 \% 的文獻選擇 Mininet 作為實驗平台。Mininet 是一個輕量級的網路虛擬化工具,可利用 Linux 核心提供的命名空間、虛擬乙太網路設備和 Open vSwitch 技術來建立全面的 SDN 環境。它適用於快速建構和測試 SDN,以及部署相關應用程式。文獻 [69] 使用 OMNeT + + OMNeT + + OMNeT++\mathrm{OMNeT}++ 作為模擬工具。相較於 Mininet,OMNeT++ 具備重新定義網路層與通訊協定的能力,因此適用於複雜的網路模型,並能處理大規模與詳細的網路

simulations. Meanwhile, some works in the literature [42,47] integrate SDN with IoT to assess the effectiveness of its detection and mitigation methods in the IoT environment.
模擬。與此同時,文獻[42,47]中的一些作品將 SDN 與 IoT 整合,以評估其偵測與減緩方法在 IoT 環境中的有效性。
In the selection of experimental controllers shown in Table 7, most literature uses Pox and Ryu controllers to implement their defense schemes. Both controllers are written in the Python language, which is highly flexible and easy to develop and expand. Compared to other large-scale controller projects, Ryu and Pox have lower resource consumption and are more suitable for research and small-scale deployment scenarios. However, these two controllers require additional custom development in the experiment. Meanwhile, there may be faults when handling large-scale, high-concurrency traffic.
在表 7 所示的實驗控制器選擇中,大多數文獻使用 Pox 和 Ryu 控制器來實現其防禦方案。這兩種控制器都是以 Python 語言撰寫,具有高度彈性,且容易開發與擴充。相較於其他大型控制器專案,Ryu 與 Pox 的資源消耗較低,較適合研究與小規模部署情境。然而,這兩種控制器在實驗中需要額外的客製化開發。同時,在處理大規模、高並發流量時可能會出現故障。
Table 7. Classification of some reviewed articles based on the utilized controllers.
表 7.根據所使用的控制器對部分評論文章進行分類。
  實驗控制器
Experiment
Controller
Experiment Controller| Experiment | | :--- | | Controller |
Detection Techniques  偵測技術 Mitigation Techniques  緩解技術

機器學習與深度學習
Machine Learning and
Deep Learning
Machine Learning and Deep Learning| Machine Learning and | | :--- | | Deep Learning |
  混合偵測
Hybrid
Detection
Hybrid Detection| Hybrid | | :--- | | Detection |
Policy-Based  政策為本
  移動目標防禦
Moving Target
Defense
Moving Target Defense| Moving Target | | :--- | | Defense |
  文獻比例
Literature
Proportion
Literature Proportion| Literature | | :--- | | Proportion |
Ryu [ 17 , 20 , 22 , 27 , 29 ] [ 17 , 20 , 22 , 27 , 29 ] [17,20,22,27,29][17,20,22,27,29] [ 33 , 36 , 37 , 41 , 43 , 46 , 52 , 55 , 58 ] [ 33 , 36 , 37 , 41 , 43 , 46 , 52 , 55 , 58 ] [33,36,37,41,43,46,52,55,58][33,36,37,41,43,46,52,55,58] - [ 72 , 80 , 84 ] [ 72 , 80 , 84 ] [72,80,84][72,80,84] [ 97 ] [ 97 ] [97][97] 30 % 30 % 30%30 \%
Pox  痘痘 [ 16 , 18 , 19 , 23 , 26 ] [ 16 , 18 , 19 , 23 , 26 ] [16,18,19,23,26][16,18,19,23,26] [ 40 , 46 , 49 , 51 , 57 , 59 ] [ 40 , 46 , 49 , 51 , 57 , 59 ] [40,46,49,51,57,59][40,46,49,51,57,59] [ 60 ] [ 60 ] [60][60] [ 70 , 74 , 77 ] [ 70 , 74 , 77 ] [70,74,77][70,74,77] [ 85 ] [ 85 ] [85][85] 26.7 % 26.7 % 26.7%26.7 \%
Floodlight  泛光燈 [ 24 , 28 , 71 , 79 , 81 ] [ 24 , 28 , 71 , 79 , 81 ] [24,28,71,79,81][24,28,71,79,81] [ 45 48 , 51 , 52 ] [ 45 48 , 51 , 52 ] [45-48,51,52][45-48,51,52] [ 66 68 ] [ 66 68 ] [66-68][66-68] [ 82 ] [ 82 ] [82][82] - 23.3 % 23.3 % 23.3%23.3 \%
OpenDaylight [ 21 ] [ 21 ] [21][21] [ 46 ] [ 46 ] [46][46] - [ 83 ] [ 83 ] [83][83] [ 91 , 96 , 108 , 110 ] [ 91 , 96 , 108 , 110 ] [91,96,108,110][91,96,108,110] 13.3 % 13.3 % 13.3%13.3 \%
ONOS - [ 34 , 46 ] [ 34 , 46 ] [34,46][34,46] - [ 75 ] [ 75 ] [75][75] [ 75 ] [ 75 ] [75][75] 5 % 5 % 5%5 \%
NOX - [ 46 ] [ 46 ] [46][46] - - - 1.7 % 1.7 % 1.7%1.7 \%
"Experiment Controller" Detection Techniques Mitigation Techniques "Machine Learning and Deep Learning" "Hybrid Detection" Policy-Based "Moving Target Defense" "Literature Proportion" Ryu [17,20,22,27,29] [33,36,37,41,43,46,52,55,58] - [72,80,84] [97] 30% Pox [16,18,19,23,26] [40,46,49,51,57,59] [60] [70,74,77] [85] 26.7% Floodlight [24,28,71,79,81] [45-48,51,52] [66-68] [82] - 23.3% OpenDaylight [21] [46] - [83] [91,96,108,110] 13.3% ONOS - [34,46] - [75] [75] 5% NOX - [46] - - - 1.7%| Experiment <br> Controller | Detection Techniques | | | Mitigation Techniques | | | | :--- | :--- | :--- | :--- | :--- | :--- | :--- | | | Machine Learning and <br> Deep Learning | Hybrid <br> Detection | Policy-Based | Moving Target <br> Defense | Literature <br> Proportion | | | Ryu | $[17,20,22,27,29]$ | $[33,36,37,41,43,46,52,55,58]$ | - | $[72,80,84]$ | $[97]$ | $30 \%$ | | Pox | $[16,18,19,23,26]$ | $[40,46,49,51,57,59]$ | $[60]$ | $[70,74,77]$ | $[85]$ | $26.7 \%$ | | Floodlight | $[24,28,71,79,81]$ | $[45-48,51,52]$ | $[66-68]$ | $[82]$ | - | $23.3 \%$ | | OpenDaylight | $[21]$ | $[46]$ | - | $[83]$ | $[91,96,108,110]$ | $13.3 \%$ | | ONOS | - | $[34,46]$ | - | $[75]$ | $[75]$ | $5 \%$ | | NOX | - | $[46]$ | - | - | - | $1.7 \%$ |
The Floodlight controller is an open-source OpenFlow SDN controller licensed under Apache that supports the Java language. It boasts strong cross-platform capabilities, efficient memory management, and concurrent processing abilities, making it suitable for large-scale network environments and high-concurrency traffic scenarios. At the same time, it supports networks consisting of OpenFlow switches and non-OpenFlow switches.
Floodlight 控制器是 Apache 授權的開放原始碼 OpenFlow SDN 控制器,支援 Java 語言。它擁有強大的跨平台能力、高效的記憶體管理和並發處理能力,使其適用於大型網路環境和高並發流量場景。同時,它支援由 OpenFlow 交換器和非 OpenFlow 交換器組成的網路。
OpenDaylight is a substantial open-source project overseen by the Linux Foundation. It offers comprehensive southbound and northbound interfaces designed for intricate, largescale SDN network environments. As indicated in the table, the literature on moving target defense technology predominantly utilizes OpenDaylight as the experimental controller.
OpenDaylight 是一個由 Linux 基金會監督的大型開放原始碼專案。它提供全面的南向和北向介面,專為複雜的大型 SDN 網路環境而設計。如表中所示,有關移動目標防禦技術的文獻主要使用 OpenDaylight 作為實驗控制器。
The ONOS controller is a highly modular SDN controller written in Java, with high availability and large-scale deployment capabilities. It performs well in managing large volumes of data and handling concurrent requests in large-scale SDN networks. At the same time, the controller encounters challenges in deployment, high resource consumption, and low flexibility, which restrict its scalability in experimental scenarios.
ONOS 控制器是以 Java 寫成的高度模組化 SDN 控制器,具有高可用性和大規模部署能力。它在管理大量資料和處理大型 SDN 網路中的並發請求方面表現良好。與此同時,該控制器在部署方面遇到了挑戰,高資源消耗和低靈活性限制了其在實驗情境中的可擴展性。
NOX is a well-known early SDN controller written in the C++ language, known for its high operational efficiency. However, it has since been replaced by other next-generation controllers, which may have limitations in terms of functionality and usability.
NOX 是以 C++ 語言寫成的知名早期 SDN 控制器,以高運作效率著稱。然而,它後來被其他下一代控制器取代,這些控制器可能在功能和可用性方面有其限制。
In terms of controller architecture, most experimental environments that utilize machine learning methods adopt a single-controller SDN environment. These methods primarily rely on the controller to detect the traffic of the corresponding switch without taking into account the impact of a single point of switch failure on DDoS attack detection. Due to the necessity of perceiving the network environment and adapting to dynamic changes in network deployment, defense strategies and moving target defense methods against link attacks are frequently evaluated in a multi-controller architecture environment.
在控制器架構方面,運用機器學習方法的實驗環境大多採用單一控制器的 SDN 環境。這些方法主要依賴控制器偵測對應交換器的流量,卻沒有考慮到交換器單點故障對 DDoS 攻擊偵測的影響。由於必須感知網路環境並適應網路部署的動態變化,因此針對連結攻擊的防禦策略和移動目標防禦方法經常在多控制器架構環境中進行評估。

6.2. DDoS Traffic Generation Tools and Datasets
6.2.DDoS 流量產生工具與資料集

In order to accurately evaluate and optimize the DDoS defense mechanism in SDN architecture, network traffic generation tools are widely used to simulate DDoS attack scenarios, verify the effectiveness of detection algorithms, and test the performance of defense systems. Table 8 presents the primary traffic generation tools identified in the relevant literature research.
為了精確評估與優化 SDN 架構中的 DDoS 防禦機制,網路流量產生工具被廣泛使用於模擬 DDoS 攻擊情境、驗證偵測演算法的有效性,以及測試防禦系統的效能。表 8 列出相關文獻研究中發現的主要流量產生工具。
Table 8. Classification of some reviewed articles based on the traffic generation tools.
表 8.根據流量產生工具對部分評論文章進行的分類。
Traffic Simulator  交通模擬器 Description  說明 Research Works  研究作品
Scapy

Scapy 是一個互動式封包處理程式,可讓使用者在底層建立、傳送、接收和解析網路通訊協定封包。
Scapy is an interactive packet processing program that allows users to build,
send, receive, and parse network protocol packets at the underlying level.
Scapy is an interactive packet processing program that allows users to build, send, receive, and parse network protocol packets at the underlying level.| Scapy is an interactive packet processing program that allows users to build, | | :---: | | send, receive, and parse network protocol packets at the underlying level. |
[18-20,24,74,82,83]
Hping3

Hping3 是一個命令列 TCP/IP 封包組合/測試工具,提供比傳統 ping 更豐富的功能。
Hping3 is a command line TCP/IP packet assembly/testing tool that provides
richer functionality than traditional ping.
Hping3 is a command line TCP/IP packet assembly/testing tool that provides richer functionality than traditional ping.| Hping3 is a command line TCP/IP packet assembly/testing tool that provides | | :---: | | richer functionality than traditional ping. |
[ 21 , 33 , 37 , 47 , 64 , 67 ] [ 21 , 33 , 37 , 47 , 64 , 67 ] [21,33,37,47,64,67][21,33,37,47,64,67]
D-ITG

D-ITG 是高效能的網路流量產生工具,可產生多串流與通訊協定的複雜網路流量,並可模擬高併發情況下的流量負載。
D-ITG is a high-performance network traffic generation tool that can generate
complex network traffic with multiple streams and protocols and can simulate
traffic loads in high-concurrency scenarios.
D-ITG is a high-performance network traffic generation tool that can generate complex network traffic with multiple streams and protocols and can simulate traffic loads in high-concurrency scenarios.| D-ITG is a high-performance network traffic generation tool that can generate | | :---: | | complex network traffic with multiple streams and protocols and can simulate | | traffic loads in high-concurrency scenarios. |
[52,55]
BotNet simulator  BotNet 模擬器

作為殭屍網路模擬器,它可以模擬大量受控節點的攻擊行為,並模擬真實的分散式攻擊情境
As a zombie network simulator, it can simulate the attack behavior of a large
number of controlled nodes and simulate real distributed attack scenarios
As a zombie network simulator, it can simulate the attack behavior of a large number of controlled nodes and simulate real distributed attack scenarios| As a zombie network simulator, it can simulate the attack behavior of a large | | :---: | | number of controlled nodes and simulate real distributed attack scenarios |
[29,60]
TFN2K

早期的分散式拒絕服務攻擊工具是用來分析攻擊者的行為模式和攻擊機制。
The early distributed denial of service attack tools were used to analyze the
behavior patterns and attack mechanisms of attackers.
The early distributed denial of service attack tools were used to analyze the behavior patterns and attack mechanisms of attackers.| The early distributed denial of service attack tools were used to analyze the | | :---: | | behavior patterns and attack mechanisms of attackers. |
[60]
Traffic Simulator Description Research Works Scapy "Scapy is an interactive packet processing program that allows users to build, send, receive, and parse network protocol packets at the underlying level." [18-20,24,74,82,83] Hping3 "Hping3 is a command line TCP/IP packet assembly/testing tool that provides richer functionality than traditional ping." [21,33,37,47,64,67] D-ITG "D-ITG is a high-performance network traffic generation tool that can generate complex network traffic with multiple streams and protocols and can simulate traffic loads in high-concurrency scenarios." [52,55] BotNet simulator "As a zombie network simulator, it can simulate the attack behavior of a large number of controlled nodes and simulate real distributed attack scenarios" [29,60] TFN2K "The early distributed denial of service attack tools were used to analyze the behavior patterns and attack mechanisms of attackers." [60] | Traffic Simulator | | Description | Research Works | | :--- | :---: | :---: | :---: | | Scapy | Scapy is an interactive packet processing program that allows users to build, <br> send, receive, and parse network protocol packets at the underlying level. | [18-20,24,74,82,83] | | | Hping3 | Hping3 is a command line TCP/IP packet assembly/testing tool that provides <br> richer functionality than traditional ping. | $[21,33,37,47,64,67]$ | | | D-ITG | D-ITG is a high-performance network traffic generation tool that can generate <br> complex network traffic with multiple streams and protocols and can simulate <br> traffic loads in high-concurrency scenarios. | [52,55] | | | BotNet simulator | As a zombie network simulator, it can simulate the attack behavior of a large <br> number of controlled nodes and simulate real distributed attack scenarios | [29,60] | | | TFN2K | The early distributed denial of service attack tools were used to analyze the <br> behavior patterns and attack mechanisms of attackers. | [60] | |
Scapy is an interactive packet processing library based on Python. It offers a high level of flexibility for constructing, sending, receiving, and parsing packets of various network protocols. In DDoS attack simulation scenarios, Scapy can be used to meticulously design and execute complex attack traffic models to assess the effectiveness of target systems or defense mechanisms.
Scapy 是基於 Python 的互動式封包處理函式庫。它在構建、傳送、接收和解析各種網路通訊協定的封包方面提供了高度的靈活性。在 DDoS 攻擊模擬情境中,Scapy 可用於仔細設計和執行複雜的攻擊流量模型,以評估目標系統或防禦機制的效能。
Hping3 is a robust command line network tool that allows for the extensive manipulation of various aspects of the TCP/IP protocol stack. It is used to generate and send customized network traffic, mimicking common techniques in DDoS attacks, such as TCP SYN Flooding, and can be utilized for security testing and auditing.
Hping3 是一款強大的命令列網路工具,可廣泛操作 TCP/IP 協定堆疊的各個層面。它可用於產生和傳送客製化的網路流量,模仿 DDoS 攻擊中的常見技術,例如 TCP SYN Flooding,並可用於安全測試和稽核。
As an advanced network performance testing tool, D-ITG functions to generate a large amount of multi-protocol and multi-mode real network traffic. In a compliant security experimental environment, the main purpose of this tool is to measure network performance and service quality. It achieves this by configuring high-load traffic with DDoS characteristics, which helps users evaluate the resilience of network devices and protection systems.
作為先進的網路效能測試工具,D-ITG 的功能在於產生大量多協定、多模式的真實網路流量。在符合規定的安全實驗環境中,此工具的主要目的是測量網路效能和服務品質。它透過設定具有 DDoS 特性的高負載流量來達到此目的,可協助使用者評估網路設備和防護系統的彈性。
The BotNet simulator is primarily used to simulate the behavior of zombie networks in a legal and controllable manner. It can simulate a large number of network requests initiated by concurrent nodes, reproduce large-scale DDoS attack scenarios, and provide researchers with an important platform to understand zombie network attack mechanisms, propagation strategies, and test defense measures.
BotNet 模擬器主要用來以合法且可控制的方式模擬殭屍網路的行為。它可以模擬由並發節點發起的大量網路請求,重現大規模的 DDoS 攻擊情境,為研究人員了解殭屍網路的攻擊機制、傳播策略,以及測試防禦措施提供重要的平台。
TFN2K was an illegal DDoS attack tool in the early days, showcasing the technical features of early distributed denial of service attacks. In today’s research environment, it is feasible to apply its principles to develop a credible simulator. This tool-assisted academic researchers and network security experts in analyzing historical attack methods and refining modern defense technologies accordingly.
TFN2K 在早期是一種非法的 DDoS 攻擊工具,展示了早期分散式拒絕服務攻擊的技術特點。在今日的研究環境中,應用其原理來開發可信的模擬器是可行的。此工具可協助學術研究人員與網路安全專家分析歷史上的攻擊方式,並據此提昇現代的防禦技術。
Traffic generation tools simulate DDoS attack behavior by creating a large number of packets of the same type. Meanwhile, low-speed DDoS attacks can be simulated by adjusting the rate. However, the features of traffic generation tools are predetermined and lack variability, which makes it challenging to accurately represent the complex traffic characteristics of the network using traffic generation tools and simulators. A recommended method involves gathering actual network traffic and blending it in proportion with malicious traffic generated by traffic generation tools to assess the efficacy of DDoS tool detection and mitigation techniques.
流量產生工具透過建立大量相同類型的封包來模擬 DDoS 攻擊行為。同時,低速 DDoS 攻擊可透過調整速率來模擬。然而,流量產生工具的特徵都是預先設定好的,缺乏可變性,因此要使用流量產生工具和模擬器來準確呈現網路的複雜流量特徵,是一大挑戰。建議的方法是收集實際的網路流量,並與流量產生工具產生的惡意流量按比例混合,以評估 DDoS 工具偵測和緩解技術的效能。
In machine learning-based DDoS attack detection schemes, high-quality datasets are the cornerstone for constructing and validating detection models. Table 9 lists the DDoS attack datasets commonly used in relevant literature research.
在以機器學習為基礎的 DDoS 攻擊偵測方案中,高品質的資料集是建構和驗證偵測模型的基石。表 9 列出了相關文獻研究中常用的 DDoS 攻擊資料集。
Table 9. Classification of some reviewed articles based on the utilized dataset.
表 9.根據所使用的資料集對部分評論文章進行分類。
Dataset  資料集 Description  說明 Research Works  研究作品
CIC-DDoS 2019 Data containing normal traffic and multiple types of DDoS attacks provides a simulation of DDoS attack scenarios in modern data center environments.
包含正常流量和多種類型 DDoS 攻擊的資料提供了現代資料中心環境中 DDoS 攻擊情境的模擬。
[32,58,65,72,84]
CAIDA The dataset includes anonymized packet-level records, stream-level data, and real-time or historical BGP routing information for network measurement, topology analysis, and security research.
資料集包括匿名封包層級記錄、串流層級資料,以及即時或歷史 BGP 路由資訊,可用於網路測量、拓樸分析和安全性研究。
[52,57,73,79]
NSL-KDD A preprocessed classic dataset containing four types of network attacks and normal traffic is used to evaluate the performance of intrusion detection systems.
預先處理過的經典資料集包含四種類型的網路攻擊和正常流量,用來評估入侵偵測系統的效能。
[39,48,52]
CIC-IDS-2017 Contains a large amount of data that simulates different types of attacks and normal traffic in real network environments, suitable for the development and testing of machine learning-based intrusion detection systems.
包含大量模擬真實網路環境中不同類型攻擊和正常流量的資料,適合開發及測試以機器學習為基礎的入侵偵測系統。
[31,36,54]
ISCX A dataset of various types of network attack traffic, including mixed attacks and normal traffic, supporting research on new attack techniques.
各種類型的網路攻擊流量資料集,包括混合攻擊和正常流量,支援新攻擊技術的研究。
[56,66,75]
DARPA Datasets from the Early Large Intrusion Detection Project "Intrusion Detection System Evaluation" of the US Defense Advanced Research Projects Agency
資料集來自美國國防先進研究計畫局的早期大型入侵偵測計畫「入侵偵測系統評估」。
[42]
UNSW-NB15 Contains data for 9 types of attacks and normal traffic, characterized by rich features and diverse types of attacks
包含 9 種攻擊和正常流量的資料,具有豐富的特徵和多樣的攻擊類型
[59]
CTU-13 Provided PCAP format network traffic data for a range of malicious software activities, especially Botnet
提供一系列惡意軟體活動的 PCAP 格式網路流量資料,特別是 Botnet
[66]
MAWI Working Group Traffic Archive
MAWI 工作小組流量檔案
Public large-scale network traffic data archiving is mainly used for research in network engineering, transmission protocol analysis, and traffic modeling.
公共大規模網路流量資料歸檔主要用於網路工程研究、傳輸協定分析和流量建模。
[26]
Kaggle DDoS and other network attack datasets contributed by the cybersecurity community
網路安全社群貢獻的 DDoS 及其他網路攻擊資料集
[35]
LLS 2.0 DDoS dataset
LLS 2.0 DDoS 資料集
This dataset is specifically designed for DDoS attack scenarios and contains DDoS attack traffic samples of different scales and complexities.
此資料集專為 DDoS 攻擊情境設計,包含不同規模和複雜性的 DDoS 攻擊流量樣本。
[23]
Dataset Description Research Works CIC-DDoS 2019 Data containing normal traffic and multiple types of DDoS attacks provides a simulation of DDoS attack scenarios in modern data center environments. [32,58,65,72,84] CAIDA The dataset includes anonymized packet-level records, stream-level data, and real-time or historical BGP routing information for network measurement, topology analysis, and security research. [52,57,73,79] NSL-KDD A preprocessed classic dataset containing four types of network attacks and normal traffic is used to evaluate the performance of intrusion detection systems. [39,48,52] CIC-IDS-2017 Contains a large amount of data that simulates different types of attacks and normal traffic in real network environments, suitable for the development and testing of machine learning-based intrusion detection systems. [31,36,54] ISCX A dataset of various types of network attack traffic, including mixed attacks and normal traffic, supporting research on new attack techniques. [56,66,75] DARPA Datasets from the Early Large Intrusion Detection Project "Intrusion Detection System Evaluation" of the US Defense Advanced Research Projects Agency [42] UNSW-NB15 Contains data for 9 types of attacks and normal traffic, characterized by rich features and diverse types of attacks [59] CTU-13 Provided PCAP format network traffic data for a range of malicious software activities, especially Botnet [66] MAWI Working Group Traffic Archive Public large-scale network traffic data archiving is mainly used for research in network engineering, transmission protocol analysis, and traffic modeling. [26] Kaggle DDoS and other network attack datasets contributed by the cybersecurity community [35] LLS 2.0 DDoS dataset This dataset is specifically designed for DDoS attack scenarios and contains DDoS attack traffic samples of different scales and complexities. [23]| Dataset | Description | Research Works | | :---: | :---: | :---: | | CIC-DDoS 2019 | Data containing normal traffic and multiple types of DDoS attacks provides a simulation of DDoS attack scenarios in modern data center environments. | [32,58,65,72,84] | | CAIDA | The dataset includes anonymized packet-level records, stream-level data, and real-time or historical BGP routing information for network measurement, topology analysis, and security research. | [52,57,73,79] | | NSL-KDD | A preprocessed classic dataset containing four types of network attacks and normal traffic is used to evaluate the performance of intrusion detection systems. | [39,48,52] | | CIC-IDS-2017 | Contains a large amount of data that simulates different types of attacks and normal traffic in real network environments, suitable for the development and testing of machine learning-based intrusion detection systems. | [31,36,54] | | ISCX | A dataset of various types of network attack traffic, including mixed attacks and normal traffic, supporting research on new attack techniques. | [56,66,75] | | DARPA | Datasets from the Early Large Intrusion Detection Project "Intrusion Detection System Evaluation" of the US Defense Advanced Research Projects Agency | [42] | | UNSW-NB15 | Contains data for 9 types of attacks and normal traffic, characterized by rich features and diverse types of attacks | [59] | | CTU-13 | Provided PCAP format network traffic data for a range of malicious software activities, especially Botnet | [66] | | MAWI Working Group Traffic Archive | Public large-scale network traffic data archiving is mainly used for research in network engineering, transmission protocol analysis, and traffic modeling. | [26] | | Kaggle | DDoS and other network attack datasets contributed by the cybersecurity community | [35] | | LLS 2.0 DDoS dataset | This dataset is specifically designed for DDoS attack scenarios and contains DDoS attack traffic samples of different scales and complexities. | [23] |
The CIC-DDoS 2019 dataset was released by the University of New Brunswick in Canada for research on DDoS attacks. The dataset contains a substantial number of labeled data points that differentiate between normal network traffic and various DDoS attack traffic. This provides researchers with an experimental environment featuring the latest attack patterns and defense challenges. This dataset highlights the significance of accurately identifying DDoS attacks in intricate network environments, and its feature set may include detailed packet inspection (DPI) level information.
CIC-DDoS 2019 數據集由加拿大新不倫瑞克大學發佈,用於研究 DDoS 攻擊。該資料集包含大量標記資料點,可區分正常網路流量和各種 DDoS 攻擊流量。這為研究人員提供了以最新攻擊模式和防禦挑戰為特色的實驗環境。此資料集強調在錯綜複雜的網路環境中準確辨識 DDoS 攻擊的重要性,其功能集可能包括詳細封包檢測 (DPI) 層級資訊。
CAIDA is a significant resource center for Internet traffic research. The platform offers a wide range of public Internet traffic datasets, such as anonymous packet-level data, route table snapshots, and instances of large-scale DDoS attacks. These data provide valuable information for the academic and industrial communities to enhance network traffic models, conduct research on DDoS defense strategies, and analyze the security of network infrastructure.
CAIDA 是網際網路流量研究的重要資源中心。該平台提供廣泛的公開網際網路流量資料集,例如匿名封包層級資料、路由表快照,以及大規模 DDoS 攻擊的實例。這些資料為學術界和產業界提供了寶貴的資訊,有助於強化網路流量模型、進行 DDoS 防禦策略研究,以及分析網路基礎設施的安全性。
NSL-KDD is a preprocessed version of the KDD Cup 1999 dataset, primarily utilized for research on intrusion detection systems. Although it mainly focuses on general types of intrusion behavior rather than specifically targeting DDoS attacks, it does contain a small number of DDoS-related samples that can be used to train and test network intrusion detection algorithms.
NSL-KDD 是 KDD Cup 1999 資料集的預處理版本,主要用於入侵偵測系統的研究。雖然它主要著重於一般類型的入侵行為,而不是特別針對 DDoS 攻擊,但它確實包含少量與 DDoS 相關的樣本,可用於訓練和測試網路入侵偵測演算法。
The CIC-IDS-2017 dataset, released by the University of Carleton in Canada, is an intrusion detection dataset based on real network traffic. It includes various types of network attacks, such as DDoS attacks. This updated dataset aims to represent the current threat landscape in modern network environments and serve as an experimental platform for the latest security research.
加拿大卡爾頓大學發佈的 CIC-IDS-2017 資料集是基於真實網路流量的入侵偵測資料集。它包括各種類型的網路攻擊,例如 DDoS 攻擊。此更新的資料集旨在代表現代網路環境中目前的威脅狀況,並作為最新安全研究的實驗平台。
ISCX series is a collection of intrusion detection system datasets created by the Information Security and Cryptography Laboratory at the University of Ottawa, Canada. The
ISCX 系列是加拿大渥太華大學資訊安全與密碼學實驗室所建立的入侵偵測系統資料集。該
ISCX IDS 2012 dataset contains a substantial volume of both normal and abnormal traffic records, making it suitable for DDoS attack detection and other network attack research.
ISCX IDS 2012 數據集包含大量的正常與異常流量記錄,因此適用於 DDoS 攻擊偵測及其他網路攻擊研究。
The intrusion detection and evaluation project by DARPA has generated a series of significant datasets to facilitate research competitions in the field of network security. These datasets contain various types of network attacks, including early instances of DDoS attacks, which are highly significant for understanding the development of DDoS attacks.
DARPA 的入侵偵測與評估專案產生了一系列重要的資料集,以促進網路安全領域的研究競賽。這些資料集包含各種類型的網路攻擊,其中包括 DDoS 攻擊的早期事例,對於了解 DDoS 攻擊的發展有極大的意義。
The UNSW-NB15 dataset was created by the University of New South Wales in Australia. It includes detailed feature descriptions and covers a wide range of attack categories, including various types of DDoS attacks. It is currently widely used as a benchmark dataset in the fields of network intrusion detection and DDoS research.
UNSW-NB15 資料集由澳洲新南威爾斯大學建立。它包含詳細的特徵描述,並涵蓋廣泛的攻擊類別,包括各種類型的 DDoS 攻擊。目前它被廣泛地用作網路入侵偵測和 DDoS 研究領域的基準資料集。
The CTU-13 dataset from the Prague University of Technology in the Czech Republic focuses on botnet activities and covers various DDoS attack scenarios. This dataset offers samples of malicious traffic generated in real network environments, making it particularly valuable for in-depth research on the sources and propagation methods of DDoS attacks.
捷克布拉格科技大學的 CTU-13 資料集專注於殭屍網絡活動,並涵蓋各種 DDoS 攻擊情境。此資料集提供在真實網路環境中產生的惡意流量樣本,因此對於深入研究 DDoS 攻擊的來源和傳播方法特別有價值。
The MAWI Working Group Traffic Archive collects real-time network traffic data on the Japanese Internet backbone. These data are valuable for researchers studying largescale network behaviors, such as pattern recognition and traffic characteristics analysis of DDoS attacks.
MAWI Working Group Traffic Archive 收集日本網際網路骨幹的即時網路流量資料。這些資料對研究大規模網路行為的研究人員非常有價值,例如 DDoS 攻擊的模式識別和流量特性分析。
As the world’s largest data science competition platform, Kaggle frequently releases datasets related to cybersecurity and machine learning in collaboration with industry partners. It contains real datasets focused on DDoS attacks.
作為全球最大的資料科學競賽平台,Kaggle 經常與業界夥伴合作,發佈與網路安全和機器學習相關的資料集。它包含以 DDoS 攻擊為重點的真實資料集。
The LLS 2.0 DDoS dataset is provided by MIT Lincoln Laboratory and is specifically designed for detecting DDoS attacks. It provides simulated or real DDoS attack traffic data for training and testing the effectiveness of DDoS defense systems. This type of dataset helps researchers better simulate real-world attack scenarios when developing effective defense mechanisms.
LLS 2.0 DDoS 資料集由麻省理工學院林肯實驗室提供,專門用於偵測 DDoS 攻擊。它提供模擬或真實的 DDoS 攻擊流量資料,用於訓練和測試 DDoS 防禦系統的效能。這種類型的資料集有助於研究人員在開發有效的防禦機制時,更好地模擬真實世界的攻擊情境。
Although the aforementioned datasets have yielded favorable results in training DDoS attack detection models, the continuous evolution of DDoS attacks means that early datasets may not capture the latest network attack technologies and trends. Simulationbased datasets may deviate from real-world scenarios. Furthermore, various datasets offer varying feature dimensions and depths, thereby complicating the process of feature selection and processing in machine learning models. Many datasets are not designed for SDN and do not accurately reflect the traffic characteristics in real SDN environments. Further experiments are still needed in real-world network scenarios.
雖然上述資料集在訓練 DDoS 攻擊偵測模型方面取得了良好的成果,但 DDoS 攻擊的持續演進意味著早期資料集可能無法捕捉到最新的網路攻擊技術和趨勢。基於模擬的資料集可能會偏離真實世界的情境。此外,各種資料集提供不同的特徵維度和深度,因此使得機器學習模型中的特徵選擇和處理過程變得複雜。許多資料集並非針對 SDN 設計,無法準確反映真實 SDN 環境中的流量特性。我們仍需要在真實網路情境中進一步實驗。

7. Research Challenges and Gap
7.研究挑戰與差距

In this paper, we aim to examine the existing research literature on detection and mitigation technologies against DDoS attacks in SDN environments. It categorizes and reviews these methods based on the technologies employed in the literature. The comparison of the application scope, advantages, and disadvantages of the detection and mitigation technologies mentioned in this article can be found in Table 10.
本文旨在檢視 SDN 環境中針對 DDoS 攻擊的偵測與緩解技術的現有研究文獻。它根據文獻中採用的技術對這些方法進行分類和評論。本文所提到的偵測與緩解技術的應用範圍、優點與缺點比較,可在表 10 中找到。
Although the DDoS DDoS DDoS\operatorname{DDoS} detection and mitigation techniques mentioned above can mitigate DDoS attacks in some experimental settings within the SDN environment, the diversified and covert nature of DDoS attack methods continues to present ongoing challenges. Therefore, there are still issues and challenges that need to be overcome in DDoS attack defense mechanisms.
雖然上述 DDoS DDoS DDoS\operatorname{DDoS} 偵測和緩解技術可以在 SDN 環境中的某些實驗設定中緩解 DDoS 攻擊,但 DDoS 攻擊方式的多樣性和隱蔽性仍是持續的挑戰。因此,在 DDoS 攻擊的防禦機制中,仍有需要克服的問題與挑戰。
  • Application plane security. At present, most DDoS attack detection methods are deployed on the SDN control plane and data plane, neglecting security detection on the application plane. In fact, the security of the northbound interface of the SDN control plane also plays a crucial role in the normal operation of the SDN. Due to the openness and flexibility of SDN, there is a lack of strict access control, identity authentication, and abnormal detection mechanisms in the application layer. Attackers can launch a high volume of API calls within a short timeframe using malicious applications, resulting in controller crashes and the complete paralysis of the entire
    應用平面安全。目前,大多數 DDoS 攻擊偵測方法都部署在 SDN 控制平面與資料平面,忽略了應用平面的安全偵測。事實上,SDN 控制平面北向介面的安全性對 SDN 的正常運作也扮演著關鍵的角色。由於 SDN 的開放性和靈活性,在應用層缺乏嚴格的存取控制、身分認證和異常偵測機制。攻擊者可以利用惡意的應用程式,在短時間內啟動大量的 API 呼叫,導致控制器當機,整個系統完全癱瘓。

    network. Therefore, strengthening the security of the SDN application layer is also an important measure to defend against DDoS attacks.
    網路。因此,加強 SDN 應用層的安全性也是防禦 DDoS 攻擊的重要措施。
  • Real network scenarios and load balance. In real-world scenarios, SDN architecture inevitably faces synchronization and load-balancing issues caused by multi-controller systems. Currently, most research is based on simulation experiments of singlecontroller SDN systems. In real SDN deployments, a single controller system is unreliable. In a multi-controller system, the traffic of switches is distributed among various switches, which poses difficulties for DDoS attack detection. On one hand, DDoS attacks are more covert due to dispersed traffic, requiring more targeted detection thresholds. On the other hand, SDN with multiple controllers also needs to consider load balancing, distributing traffic evenly among different controllers to prevent being mistaken for an attack due to heavy load on a single controller. Wang et al. [111] deployed a DDoS attack defense scheme in a multi-controller system but did not consider the synchronization strategy of multiple controllers. The problem of effectively allocating resources, achieving load balancing, and synchronizing flow table information from multiple controllers is a challenge that SDN security policy deployment needs to address.
    真實網路情境與負載平衡。在現實世界的情境中,SDN 架構無可避免地面臨多控制器系統所造成的同步與負載平衡問題。目前,大部分研究都是基於單控制器 SDN 系統的模擬實驗。在實際的 SDN 部署中,單一控制器系統是不可靠的。在多控制器系統中,交換器的流量分散在不同的交換器上,這對 DDoS 攻擊偵測造成困難。一方面,DDoS 攻擊因流量分散而更具隱蔽性,需要更具針對性的偵測臨界值。另一方面,多控制器的 SDN 也需要考慮負載平衡,將流量平均分配到不同的控制器,避免因單一控制器負載過重而被誤判為攻擊。Wang 等人[111]在多控制器系統中部署了 DDoS 攻擊防禦方案,但沒有考慮多控制器的同步策略。如何有效分配資源、達成負載平衡,以及同步多個控制器的流量表資訊,是 SDN 安全策略部署需要解決的難題。
  • Network information synchronization. Network information synchronization is the core issue of DDoS dynamic defense methods. If the synchronization of the sender and receiver information cannot be guaranteed during the information hopping process, it impacts network availability. The commonly used synchronization methods at present are time-based synchronization methods and protocol-based synchronization methods [112]. Time-based synchronization methods are affected by network latency and time accuracy, making it difficult to achieve accurate information synchronization. The protocol-based synchronization method requires prior communication negotiation and confirmation between the parties involved in the communication. However, this method is susceptible to replay attacks and tampering, which can disrupt the synchronization of network information jumps. Security research on information synchronization methods for dynamic defense is also a research direction.
    網路資訊同步。網路資訊同步是 DDoS 動態防禦方法的核心問題。如果在資訊跳躍的過程中,無法保證傳送者與接收者資訊的同步性,就會影響網路的可用性。目前常用的同步方法有基於時間的同步方法和基於通訊協定的同步方法[112]。基於時間的同步方法會受到網路延遲和時間精確度的影響,難以達到精確的資訊同步。基於通訊協定的同步方法需要參與通訊的各方事先進行通訊協商和確認。然而,此方法容易受到重播攻擊和竄改,會破壞網路資訊跳轉的同步性。動態防禦的資訊同步方法安全研究也是一個研究方向。
  • Distinguishing between DDoS attacks and flash events. In a real network, there are often multiple legitimate users accessing the network simultaneously, which can lead to flash events. During these events, the website server is unable to provide normal services [113]. Unlike DDoS attacks, this event is caused by a surge in network traffic from legitimate users and cannot be prevented solely through DDoS attack defense strategies. Luo et al. [114] introduced methods to distinguish and detect flash events and DDoS DDoS DDoS\operatorname{DDoS} attacks, along with a dataset for detection. Sun et al. [64] proposed a method for detecting flow feature-based DDoS attacks and discriminating flash events in SDN. At present, it is also an urgent problem to distinguish between DDoS attacks and flash events in SDN and adopt different mitigation strategies to avoid affecting the legitimate use of the network by normal users.
    區分 DDoS 攻擊和閃爍事件。在真實網路中,通常會有多個合法使用者同時存取網路,這可能會導致閃光事件。在這些事件中,網站伺服器無法提供正常服務 [113]。與 DDoS 攻擊不同的是,此事件是由合法使用者的網路流量激增所造成,無法單靠 DDoS 攻擊防禦策略來預防。Luo 等人[114] 介紹了區別和偵測快閃事件與 DDoS DDoS DDoS\operatorname{DDoS} 攻擊的方法,以及偵測的資料集。Sun 等人[64]提出了一種偵測 SDN 中基於流量特徵的 DDoS 攻擊和區別閃爍事件的方法。目前,如何區分 SDN 中的 DDoS 攻擊與 flash 事件,並採取不同的緩解策略,避免影響正常使用者對網路的合法使用,也是一個急需解決的問題。
  • Adaptive DDoS attack defense. Attackers often adapt their attack methods based on the intelligence gathered in the early stages to evade network defenses and detection methods. Studying adaptive attack detection mechanisms for DDoS attacks in SDN has become an important topic. Based on statistical information for detecting DDoS attack methods, dynamic detection thresholds are set according to the actual network traffic size and attack methods in order to reduce false alarm rates. They minimize the impact on network availability while ensuring accurate detection. In machine learning detection methods, selecting traffic features based on attack types helps train the model for detection. This approach reduces model complexity while improving accuracy [115]. The currently commonly used method is to combine lightweight identification methods with heavyweight detection algorithms to efficiently and accurately detect and identify DDoS attacks. In dynamic defense methods, the selection of the information jump space and period also requires an adaptive adjustment in order to achieve an adaptive information jump. At present, research is focused on achieving
    適應性 DDoS 攻擊防禦。攻擊者通常會根據前期收集到的情報調整攻擊方法,以躲避網路防禦和偵測方法。研究 SDN 中 DDoS 攻擊的適應性攻擊偵測機制已成為重要課題。以偵測 DDoS 攻擊方式的統計資訊為基礎,根據實際網路流量大小和攻擊方式設定動態偵測臨界值,以降低誤報率。這些方法在確保精確偵測的同時,將對網路可用性的影響降至最低。在機器學習偵測方法中,根據攻擊類型選擇流量特徵有助於訓練偵測模型。此方法可降低模型複雜度,同時提高精確度 [115]。目前常用的方法是結合輕量級的識別方法與重量級的偵測演算法,以有效且精確地偵測與識別 DDoS 攻擊。在動態防禦方法中,資訊跳躍空間與週期的選擇也需要自適應調整,才能達到資訊跳躍的自適應性。目前,研究的重點在於實現

    network adaptive DDoS attack detection and minimizing the impact on network availability. This involves developing DDoS defense measures that target various attack methods and scales.
    網路自適應 DDoS 攻擊偵測,並將對網路可用性的影響降至最低。這包括開發針對各種攻擊方法和規模的 DDoS 防禦措施。
  • Protocol security. At present, there is no clear industry standard for security in SDN network architecture. Although organizations such as the Open Network Foundation [116] and the European Telecommunications Standards Association [117] have established certain security standards, there are still no fully recognized security standards domestically and internationally. This lack of recognized standards also impacts the security of SDN. Kloti et al. [118] conducted a security analysis on the OpenFlow protocol and experimentally verified that attackers can easily perform sniffing and DoS attacks on devices that deploy OpenFlow. In response to vulnerabilities in the SDN communication protocol, attackers can also compromise SDN security through methods such as man-in-the-middle attacks and spoofing attacks. Therefore, establishing security protocol standards is also an important measure to defend against DDoS attacks and ensure the security of SDN.
    通訊協定安全性。目前,SDN 網路架構的安全性並沒有明確的業界標準。雖然開放網路基金會 (Open Network Foundation) [116] 和歐洲電信標準協會 (European Telecommunications Standards Association) [117] 等組織已建立某些安全標準,但國內和國際上仍沒有完全公認的安全標準。缺乏公認的標準也會影響 SDN 的安全性。Kloti 等人[118]針對 OpenFlow 通訊協定進行安全分析,實驗驗證攻擊者可以輕易對部署 OpenFlow 的裝置進行嗅探(sniffing)與 DoS 攻擊。針對 SDN 通訊協定中的漏洞,攻擊者也可以透過中間人攻擊 (man-in-the-middle attack) 和詐欺攻擊 (spoofing attack) 等方法,危害 SDN 的安全性。因此,建立安全通訊協定標準也是防禦 DDoS 攻擊、確保 SDN 安全性的重要措施。
Table 10. Summary of DDoS attack defense techniques in SDN.
表 10.SDN 中的 DDoS 攻擊防禦技術摘要。
Technology  技術 Scope  範圍 Plane  飛機 Key Points  重點 Strengths  優勢 Weaknesses  弱點
Statistical analysis  統計分析 Detection  偵測 Data/control  資料/控制 Utilizing statistical parameters of traffic characteristics or information entropy for the detection of DDoS attacks.
利用流量特性的統計參數或資訊熵來偵測 DDoS 攻擊。
Low resource consumption and high real-time performance
低資源消耗和高即時效能
High false alarm rate (FAR)
高誤報率 (FAR)
Machine learning  機器學習
  偵測/緩解
Detection/
Mitigation
Detection/ Mitigation| Detection/ | | :--- | | Mitigation |
Control  控制 The deployment of machine learning algorithms in control planes to identify DDoS attack traffic in networks.
在控制平面部署機器學習演算法,以辨識網路中的 DDoS 攻擊流量。
High accuracy  高精度 Model training is complex and has low real-time performance
模型訓練複雜且即時效能低
Hybrid detection  混合偵測
  偵測/緩解
Detection/
Mitigation
Detection/ Mitigation| Detection/ | | :--- | | Mitigation |
Data/Control  資料/控制 Statistical analysis and machine learning multi-level detection methods for DDoS attack detection.
用於 DDoS 攻擊偵測的統計分析與機器學習多層次偵測方法。
Balancing real-time detection and accuracy
平衡即時偵測與精確度
Difficulty in deployment Parameter settings affect detection effectiveness
部署困難 參數設定會影響偵測效能
MTD Mitigation  緩解 Control  控制 Dynamic changes in network information to mitigate DDoS attacks
網路資訊的動態變化可減緩 DDoS 攻擊
Improve the security of SDN
提高 SDN 的安全性
High requirements for network systems and communication synchronization issues
對網路系統和通訊同步問題的高要求
Policy-based mitigation  政策性減緩 Mitigation  緩解

資料/控制/應用
Data/Control/
Application
Data/Control/ Application| Data/Control/ | | :--- | | Application |
Set traffic forwarding policies to effectively discard malicious traffic and ensure the transmission of clean traffic.
設定流量轉送政策,以有效捨棄惡意流量,並確保傳送乾淨的流量。
Easy to implement and minimal resource usage
易於實作且使用最少的資源
May affect normal traffic
可能影響正常交通
Technology Scope Plane Key Points Strengths Weaknesses Statistical analysis Detection Data/control Utilizing statistical parameters of traffic characteristics or information entropy for the detection of DDoS attacks. Low resource consumption and high real-time performance High false alarm rate (FAR) Machine learning "Detection/ Mitigation" Control The deployment of machine learning algorithms in control planes to identify DDoS attack traffic in networks. High accuracy Model training is complex and has low real-time performance Hybrid detection "Detection/ Mitigation" Data/Control Statistical analysis and machine learning multi-level detection methods for DDoS attack detection. Balancing real-time detection and accuracy Difficulty in deployment Parameter settings affect detection effectiveness MTD Mitigation Control Dynamic changes in network information to mitigate DDoS attacks Improve the security of SDN High requirements for network systems and communication synchronization issues Policy-based mitigation Mitigation "Data/Control/ Application" Set traffic forwarding policies to effectively discard malicious traffic and ensure the transmission of clean traffic. Easy to implement and minimal resource usage May affect normal traffic| Technology | Scope | Plane | Key Points | Strengths | Weaknesses | | :---: | :---: | :---: | :---: | :---: | :---: | | Statistical analysis | Detection | Data/control | Utilizing statistical parameters of traffic characteristics or information entropy for the detection of DDoS attacks. | Low resource consumption and high real-time performance | High false alarm rate (FAR) | | Machine learning | Detection/ <br> Mitigation | Control | The deployment of machine learning algorithms in control planes to identify DDoS attack traffic in networks. | High accuracy | Model training is complex and has low real-time performance | | Hybrid detection | Detection/ <br> Mitigation | Data/Control | Statistical analysis and machine learning multi-level detection methods for DDoS attack detection. | Balancing real-time detection and accuracy | Difficulty in deployment Parameter settings affect detection effectiveness | | MTD | Mitigation | Control | Dynamic changes in network information to mitigate DDoS attacks | Improve the security of SDN | High requirements for network systems and communication synchronization issues | | Policy-based mitigation | Mitigation | Data/Control/ <br> Application | Set traffic forwarding policies to effectively discard malicious traffic and ensure the transmission of clean traffic. | Easy to implement and minimal resource usage | May affect normal traffic |

8. Conclusions  8.結論

With the application of SDN architecture in various real-world scenarios, the security issues of SDN remain a significant challenge. On the one hand, many traditional network security problems still exist in SDN. On the other hand, the openness of SDN brings new security issues. This article focuses on the common DDoS attack problems in SDN and introduces several mainstream methods for detecting and mitigating DDoS attacks in SDN environments. The advantages and limitations of these methods are analyzed in terms of attack detection accuracy, real-time performance, network resource consumption, and types of DDoS attacks. Finally, this article raises questions and challenges regarding existing methods. Of course, there are also research areas that have not been covered in this article, such as the SDN communication protocol against DDoS attacks [119] and application-level defense methods against DDoS attacks [120]. Absolute network security does not exist, and
隨著 SDN 架構在各種實際情境中的應用,SDN 的安全問題仍是一大挑戰。一方面,許多傳統的網路安全問題在 SDN 中仍然存在。另一方面,SDN 的開放性也帶來了新的安全問題。本文將針對 SDN 常見的 DDoS 攻擊問題,介紹幾種主流的 SDN 環境下偵測與減緩 DDoS 攻擊的方法。並從攻擊偵測準確度、即時效能、網路資源消耗、DDoS 攻擊類型等方面,分析這些方法的優點與限制。最後,本文提出了有關現有方法的問題與挑戰。當然,還有一些研究領域是本文尚未涵蓋的,例如針對 DDoS 攻擊的 SDN 通訊協定 [119],以及針對 DDoS 攻擊的應用層級防禦方法 [120]。絕對的網路安全並不存在,而且

security attacks on networks will never end. Detecting and defending against new types of DDoS attacks in SDN environments will continue to be an area of exploration in the future. In future work, the author plans to utilize threat intelligence to model attackers, develop dynamic defense strategies using SDN programmability, achieve the early detection of DDoS attacks and localization of attackers, minimize controller overhead, and establish the traceability of attackers.
網路的安全攻擊將永無止境。在 SDN 環境中偵測與防禦新型的 DDoS 攻擊,將是未來持續探索的領域。在未來的工作中,作者計畫利用威脅情報建立攻擊者模型,利用 SDN 的可編程性開發動態防禦策略,實現 DDoS 攻擊的早期偵測和攻擊者定位,最小化控制器開銷,並建立攻擊者的可追蹤性。
Funding: This research was funded by the Science and Technology on Complex Electronic System Simulation Laboratory, grant number 614201002012204.
經費:本研究由複雜電子系統科學與技術模擬實驗室資助,基金編號:614201002012204。
Data Availability Statement: The original contributions presented in the study are included in the article, further inquiries can be directed to the corresponding authors.
資料提供聲明:研究中提出的原始貢獻已包含在文章中,進一步查詢可直接聯絡對應作者。
Conflicts of Interest: The authors declare no conflict of interest.
利益衝突:作者聲明無利益衝突。

References  參考資料

  1. Chen, J.; Zheng, X.; Rong, C. Survey on software-defined networking. In Proceedings of the Second International Conference on Cloud Computing and Big Data in Asia, Huangshan, China, 17-19 June 2015; Springer: Cham, Switzerland, 2015; pp. 115-124.
    Chen, J.; Zheng, X.; Rong, C. Survey on software-defined networking.In Proceedings of the Second International Conference on Cloud Computing and Big Data in Asia, Huangshan, China, 17-19 June 2015; Springer:Cham, Switzerland, 2015; pp.
  2. Scott-Hayward, S.; Natarajan, S.; Sezer, S. A Survey of Security in Software Defined Networks. IEEE Commun. Surv. Tutor. 2016, 18, 623-654. [CrossRef]
    Scott-Hayward, S.; Natarajan, S.; Sezer, S. A Survey of Security in Software Defined Networks.IEEE Commun.Surv.Tutor.2016, 18, 623-654.[CrossRef] (英文)
  3. Ubale, T.; Jain, A.K. Survey on DDoS attack techniques and solutions in software-defined network. In Handbook of Computer Networks and Cyber Security; Springer: Cham, Switzerland, 2020; pp. 389-419.
    Ubale, T.; Jain, A.K. Survey on DDoS attack techniques and solutions in software-defined network.In Handbook of Computer Networks and Cyber Security; Springer:Cham, Switzerland, 2020; pp.
  4. Mittal, M.; Kumar, K.; Behal, S. Deep learning approaches for detecting DDoS attacks: A systematic review. Soft Comput. 2023, 27, 13039-13075. [CrossRef]
    Mittal, M.; Kumar, K.; Behal, S. Deep learning approaches for detecting DDoS attacks:系統回顧。Soft Comput.2023, 27, 13039-13075.[CrossRef]。
  5. Ali, T.E.; Chong, Y.W.; Manickam, S. Machine Learning Techniques to Detect a DDoS Attack in SDN: A Systematic Review. Appl. Sci. 2023, 13, 3183. [CrossRef]
    Ali, T.E.; Chong, Y.W.; Manickam, S. Machine Learning Techniques to Detect a DDoS Attack in SDN:A Systematic Review.應用科學 2023,13,3183。[CrossRef] (英文)
  6. Karnani, S.; Shakya, H.K. Mitigation strategies for distributed denial of service (DDoS) in SDN: A survey and taxonomy. Inf. Secur. J. Glob. Perspect. 2023, 32, 444-468. [CrossRef]
    Karnani, S.; Shakya, H.K. Mitigation strategies for distributed denial of service (DDoS) in SDN:調查與分類。Inf.Secur.J. Glob.Perspect.2023, 32, 444-468.[CrossRef] (英文)
  7. Kaur, S.; Kumar, K.; Aggarwal, N.; Singh, G. A comprehensive survey of DDoS defense solutions in SDN: Taxonomy, research challenges, and future directions. Comput. Secur. 2021, 110, 102423. [CrossRef]
    Kaur, S.; Kumar, K.; Aggarwal, N.; Singh, G. SDN 中 DDoS 防禦解決方案的綜合調查:分類、研究挑戰與未來方向。Comput.Secur.2021, 110, 102423.[CrossRef] (英文)
  8. Behal, S.; Singh, J. Detection and Mitigation of DDoS attacks in SDN: A Comprehensive Review, Research Challenges and Future Directions. Comput. Sci. Rev. 2020, 37, 100279.
    Behal, S.; Singh, J. Detection and Mitigation of DDoS attacks in SDN:全面回顧、研究挑戰與未來方向。Comput.Sci. Rev. 2020, 37, 100279.
  9. Maleh, Y.; Qasmaoui, Y.; El Gholami, K.; Sadqi, Y.; Mounir, S. A comprehensive survey on SDN security: Threats, mitigations, and future directions. J. Reliab. Intell. Environ. 2023, 9, 201-239. [CrossRef]
    Maleh, Y.; Qasmaoui, Y.; El Gholami, K.; Sadqi, Y.; Mounir, S. A comprehensive survey on SDN security:威脅、緩解措施與未來方向。J. Reliab.Intell.環境。2023, 9, 201-239.[CrossRef]
  10. Ahmad, S.; Mir, A.H. SDN Interfaces: Protocols, Taxonomy and Challenges. Int. J. Wirel. Microwave Technol. 2022, 12, 11-32. [CrossRef]
    Ahmad, S.; Mir, A.H. SDN 介面:通訊協定、分類與挑戰。Int.J. Wirel.微波技術。2022, 12, 11-32.[CrossRef] (英文)
  11. Alhijawi, B.; Almajali, S.; Elgala, H.; Salameh, H.B.; Ayyash, M. A survey on DoS/DDoS mitigation techniques in SDNs: Classification, comparison, solutions, testing tools and datasets. Comput. Electr. Eng. 2022, 99, 107706. [CrossRef]
    Alhijawi, B.; Almajali, S.; Elgala, H.; Salameh, H.B.; Ayyash, M. A survey on DoS/DDoS mitigation techniques in SDNs:分類、比較、解決方案、測試工具和資料集。Comput.Comput.2022, 99, 107706.[CrossRef]。
  12. Patwardhan, A.; Jayarama, D.; Limaye, N.; Vidhale, S.; Parekh, Z.; Harfoush, K. SDN Security: Information disclosure and flow table overflow attacks. In Proceedings of the 2019 IEEE Global Communications Conference (GLOBECOM), Waikoloa, HI, USA, 9-13 December 2019; IEEE: New York, NY, USA, 2019; pp. 1-6.
    Patwardhan, A.; Jayarama, D.; Limaye, N.; Vidhale, S.; Parekh, Z.; Harfoush, K. SDN 安全:資訊揭露與流量表溢出攻擊。In Proceedings of the 2019 IEEE Global Communications Conference (GLOBECOM), Waikoloa, HI, USA, 9-13 December 2019; IEEE: New York, NY, USA, 2019; pp.
  13. Cao, J.; Xu, M.; Li, Q.; Sun, K.; Yang, Y.; Zheng, J. Disrupting SDN via the data plane: A low-rate flow table overflow attack. In Proceedings of the International Conference on Security and Privacy in Communication Systems, Niagara Falls, ON, Canada, 22-25 October 2017; Springer: Cham, Switzerland, 2017; pp. 356-376.
    Cao, J.; Xu, M.; Li, Q.; Sun, K.; Yang, Y.; Zheng, J. Disrupting SDN via the data plane:低速率流量表溢出攻擊。In Proceedings of the International Conference on Security and Privacy in Communication Systems, Niagara Falls, ON, Canada, 22-25 October 2017; Springer:Cham, Switzerland, 2017; pp.
  14. Dover, J.M. A Denial of Service Attack against the Open Floodlight SDN Controller; Dover Networks LCC.: Edgewater, MD, USA, 2013.
  15. Rauf, B.; Abbas, H.; Usman, M.; Zia, T.A.; Iqbal, W.; Abbas, Y.; Afzal, H. Application Threats to Exploit Northbound Interface Vulnerabilities in Software Defined Networks. ACM Comput. Surv. 2021, 54, 1-36. [CrossRef]
    Rauf, B.; Abbas, H.; Usman, M.; Zia, T.A.; Iqbal, W.; Abbas, Y.; Afzal, H. Application Threats to Exploit Northbound Interface Vulnerabilities in Software Defined Networks.ACM Comput.Surv.2021, 54, 1-36.[CrossRef] (英文)
  16. Yadav, S.K.; Suguna, P.; Velusamy, R.L. Entropy based mitigation of Distributed-Denial-of-Service (DDoS) attack on Control Plane in Software-Defined-Network (SDN). In Proceedings of the 2019 10th International Conference on Computing, Communication and Networking Technologies (ICCCNT), Kanpur, India, 6-8 July 2019; IEEE: New York, NY, USA, 2019; pp. 1-7.
    Yadav, S.K.; Suguna, P.; Velusamy, R.L. Entropy based mitigation of Distributed-Denial-of-Service (DDoS) attack on Control Plane in Software-Defined-Network (SDN).In Proceedings of the 2019 10th International Conference on Computing, Communication and Networking Technologies (ICCCNT), Kanpur, India, 6-8 July 2019; IEEE: New York, NY, USA, 2019; pp.
  17. Ahalawat, A.; Dash, S.S.; Panda, A.; Babu, K.S. Entropy based DDoS detection and mitigation in OpenFlow enabled SDN. In Proceedings of the 2019 International Conference on Vision Towards Emerging Trends in Communication and Networking (ViTECoN), Vellore, India, 30-31 March 2019; IEEE: New York, NY, USA, 2019; pp. 1-5.
    Ahalawat, A.; Dash, S.S.; Panda, A.; Babu, K.S. Entropy based DDoS detection and mitigation in OpenFlow enabled SDN.In Proceedings of the 2019 International Conference on Vision Towards Emerging Trends in Communication and Networking (ViTECoN), Vellore, India, 30-31 March 2019; IEEE: New York, NY, USA, 2019; pp.
  18. Carvalho, R.N.; Bordim, J.L.; Alchieri EA, P. Entropy-based DoS attack identification in SDN. In Proceedings of the 2019 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW), Rio de Janeiro, Brazil, 20-24 May 2019; IEEE: New York, NY, USA, 2019; pp. 627-634.
    Carvalho, R.N.; Bordim, J.L.; Alchieri EA, P. SDN 中基於熵的 DoS 攻擊識別。In Proceedings of the 2019 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW), Rio de Janeiro, Brazil, 20-24 May 2019; IEEE: New York, NY, USA, 2019; pp.
  19. Hemmati, Z.; Mirjalily, G.; Mohtajollah, Z. Entropy-based DDoS Attack Detection in SDN using Dynamic Threshold. In Proceedings of the 2021 7th International Conference on Signal Processing and Intelligent Systems (ICSPIS), Tehran, Iran, 29-30 December 2021; IEEE: New York, NY, USA, 2021; pp. 1-5.
    Hemmati, Z.; Mirjalily, G.; Mohtajollah, Z. Entropy-based DDoS Attack Detection in SDN using Dynamic Threshold.In Proceedings of the 2021 7th International Conference on Signal Processing and Intelligent Systems (ICSPIS), Tehran, Iran, 29-30 December 2021; IEEE: New York, NY, USA, 2021; pp.
  20. Ujjan RM, A.; Pervez, Z.; Dahal, K.; Khan, W.A.; Khattak, A.M.; Hayat, B. Entropy based features distribution for anti-DDoS model in SDN. Sustainability 2021, 13, 1522. [CrossRef]
    Ujjan RM, A.; Pervez, Z.; Dahal, K.; Khan, W.A.; Khattak, A.M.; Hayat, B. Entropy based features distribution for anti-DDoS model in SDN.Sustainability 2021, 13, 1522.[CrossRef] (英文)
  21. Tao, L.; Sheng, Y. DDoS attack detection and recognition based on cross entropy in SDN environment. Comput. Appl. Softw. 2018, 38, 328-333.
    在 SDN 環境中基於交叉熵的 DDoS 攻擊偵測與識別。Comput.Appl.2018, 38, 328-333.
  22. Kalkan, K.; Altay, L.; Gür, G.; Alagöz, F. JESS: Joint entropy-based DDoS defense scheme in SDN. IEEE J. Sel. Areas Commun. 2018, 36, 2358-2372. [CrossRef]
    Kalkan, K.; Altay, L.; Gür, G.; Alagöz, F. JESS:SDN 中基於聯合熵的 DDoS 防禦方案。IEEE J. Sel.Areas Commun.2018, 36, 2358-2372.[CrossRef].
  23. Xuanyuan, M.; Ramsurrun, V.; Seeam, A. Detection and mitigation of DDoS attacks using conditional entropy in software-defined networking. In Proceedings of the 2019 11th International Conference on Advanced Computing (ICoAC), Chennai, India, 18-20 December 2019; IEEE: New York, NY, USA, 2019; pp. 66-71.
    Xuanyuan, M.; Ramsurrun, V.; Seeam, A. Detection and mitigation of DDoS attacks using conditional entropy in software-defined networking.In Proceedings of the 2019 11th International Conference on Advanced Computing (ICoAC), Chennai, India, 18-20 December 2019; IEEE: New York, NY, USA, 2019; pp.
  24. Li, R.; Wu, B. Early detection of DDoS based on φ φ varphi\varphi-entropy in SDN networks. In Proceedings of the 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), Chongqing, China, 12-14 June 2020; IEEE: New York, NY, USA, 2020; Volume 1, pp. 731-735.
    Li, R.; Wu, B. 基於 SDN 網路中 φ φ varphi\varphi -熵的 DDoS 早期偵測。In Proceedings of the 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), Chongqing, China, 12-14 June 2020; IEEE: New York, NY, USA, 2020; Volume 1, pp.
  25. Kalkan, K.; Gür, G.; Alagöz, F. SDNScore: A statistical defense mechanism against DDoS attacks in SDN environment. In Proceedings of the 2017 IEEE Symposium on Computers and Communications (ISCC), Heraklion, Greece, 3-6 July 2017; IEEE: New York, NY, USA, 2017; pp. 669-675.
    Kalkan, K.; Gür, G.; Alagöz, F. SDNScore:針對 SDN 環境中 DDoS 攻擊的統計防禦機制。In Proceedings of the 2017 IEEE Symposium on Computers and Communications (ISCC), Heraklion, Greece, 3-6 July 2017; IEEE: New York, NY, USA, 2017; pp.
  26. Fouladi, R.F.; Ermiş, O.; Anarim, E. A DDoS attack detection and defense scheme using time-series analysis for SDN. J. Inf. Secur. Appl. 2020, 54, 102587. [CrossRef]
    Fouladi, R.F.; Ermiş, O.; Anarim, E. 使用 SDN 時間序列分析的 DDoS 攻擊偵測與防禦方案。J. Inf.Secur.2020, 54, 102587.[CrossRef] (英文)
  27. Shohani, R.B.; Mostafavi, S.; Hakami, V. A statistical model for early detection of DDoS attacks on random targets in SDN. Wirel. Pers. Comтип. 2021, 120, 379-400. [CrossRef]
    Shohani, R.B.; Mostafavi, S.; Hakami, V. A statistical model for early detection of DDoS attacks on random targets in SDN.Wirel.Pers.Comтип.2021, 120, 379-400.[CrossRef] (英文)
  28. Wang, M.H.; Wu, S.Y.; Yen, L.H.; Yen, L.H.; Tseng, C.C. PathMon: Path-specific traffic monitoring in OpenFlow-enabled networks. In Proceedings of the 2016 Eighth International Conference on Ubiquitous and Future Networks (ICUFN), Vienna, Austria, 5-8 July 2016; IEEE: New York, NY, USA, 2016; pp. 775-780.
    Wang, M.H.; Wu, S.Y.; Yen, L.H.; Yen, L.H.; Tseng, C.C. PathMon:OpenFlow-enabled 網路中特定路徑的流量監控。In Proceedings of the 2016 Eighth International Conference on Ubiquitous and Future Networks (ICUFN), Vienna, Austria, 5-8 July 2016; IEEE: New York, NY, USA, 2016; pp.
  29. Sahay, R.; Blanc, G.; Zhang, Z.; Debar, H. ArOMA: An SDN based autonomic DDoS mitigation framework. Comput. Secur. 2017, 70, 482-499. [CrossRef]
    Sahay, R.; Blanc, G.; Zhang, Z.; Debar, H. ArOMA:基於 SDN 的自主式 DDoS 緩解框架。Comput.Secur.2017, 70, 482-499.[CrossRef]。
  30. Yuhua, X.; Zhixin, S. Research progress in abnormal traffic detection in software-defined networks. J. Softw. 2020, 31, 183-207. Available online: http:/ /www.jos.org.cn/1000%E2% % 80 % 939825 / 5879 . h t m % 80 % 939825 / 5879 . h t m %80%939825//5879.htm\% 80 \% 939825 / 5879 . h t m (accessed on 6 November 2019).
    Yuhua, X.; Zhixin, S. 軟體定義網路中異常流量偵測的研究進展.J. Softw.2020, 31, 183-207.線上提供:http://www.jos.org.cn/1000%E2% % 80 % 939825 / 5879 . h t m % 80 % 939825 / 5879 . h t m %80%939825//5879.htm\% 80 \% 939825 / 5879 . h t m (於 2019 年 11 月 6 日存取)。
  31. Kokila, R.T.; Selvi, S.T.; Govindarajan, K. DDoS detection and analysis in SDN-based environment using support vector machine classifier. In Proceedings of the 2014 Sixth International Conference on Advanced Computing (ICoAC), Chennai, India, 17-19 December 2014; IEEE: New York, NY, USA, 2014; pp. 205-210.
    Kokila, R.T.; Selvi, S.T.; Govindarajan, K. DDoS detection and analysis in SDN-based environment using support vector machine classifier.In Proceedings of the 2014 Sixth International Conference on Advanced Computing (ICoAC), Chennai, India, 17-19 December 2014; IEEE: New York, NY, USA, 2014; pp.
  32. Mehr, S.Y.; Ramamurthy, B. An SVM based DDoS attack detection method for Ryu SDN controller. In Proceedings of the 15th International Conference on Emerging Networking Experiments and Technologies, Orlando, FL, USA, 9-12 December 2019; pp. 72-73.
    Mehr, S.Y.; Ramamurthy, B. An SVM based DDoS attack detection method for Ryu SDN controller.In Proceedings of the 15th International Conference on Emerging Networking Experiments and Technologies, Orlando, FL, USA, 9-12 December 2019; pp.
  33. Ye, J.; Cheng, X.; Zhu, J.; Feng, L.; Song, L. A DDoS attack detection method based on SVM in software defined network. Secur. Commun. Netw. 2018, 2018, 9804061. [CrossRef]
    Ye, J.; Cheng, X.; Zhu, J.; Feng, L.; Song, L. A DDoS attack detection method based on SVM in software defined network.Secur.Commun.Netw. 2018, 2018, 9804061.[CrossRef].
  34. Zhao, J.; Zeng, P.; Shang, W.; Tong, G. DDoS attack detection based on one-class SVM in SDN. In Proceedings of the International Conference on Artificial Intelligence and Security, Hohhot, China, 17-20 July 2020; Springer: Singapore, 2020; pp. 189-200.
    Zhao, J.; Zeng, P.; Shang, W.; Tong, G. 在 SDN 中基於單類 SVM 的 DDoS 攻擊檢測。In Proceedings of the International Conference on Artificial Intelligence and Security, Hohhot, China, 17-20 July 2020; Springer:Singapore, 2020; pp.
  35. Myint Oo, M.; Kamolphiwong, S.; Kamolphiwong, T.; Vasupongayya, S. Advanced support vector machine (ASVM) based detection for distributed denial of service (DDoS) attack on software defined networking (SDN). J. Comput. Netw. Commun. 2019, 2019, 8012568. [CrossRef]
    Myint Oo, M.; Kamolphiwong, S.; Kamolphiwong, T.; Vasupongayya, S. Advanced support vector machine (ASVM) based detection for distributed denial of service (DDoS) attack on software defined networking (SDN).J. Comput.Netw.Commun.2019, 2019, 8012568.[CrossRef].
  36. Abdullahi Wabi, A.; Idris, I.; Mikail Olaniyi, O.; Joseph, A.; Surajudeen Adebayo, O. Modeling DDOS attacks in sdn and detection using random forest classifier. J. Cyber Secur. Technol. 2023, 1-14. [CrossRef]
    Abdullahi Wabi, A.; Idris, I.; Mikail Olaniyi, O.; Joseph, A.; Surajudeen Adebayo, O. Modeling DDOS attacks in sdn and detection using random forest classifier.J. Cyber Secur.Technol.2023, 1-14.[CrossRef]。
  37. Santos, R.; Souza, D.; Santo, W.; Ribeiro, A.; Moreno, E. Machine learning algorithms to detect DDoS attacks in SDN. Concurr. Comput. Pract. Exp. 2020, 32, e5402. [CrossRef]
    Santos, R.; Souza, D.; Santo, W.; Ribeiro, A.; Moreno, E. Machine learning algorithms to detect DDoS attacks in SDN.Concurr.Comput.Pract.Exp. 2020, 32, e5402.[CrossRef] (英文)
  38. Khashab, F.; Moubarak, J.; Feghali, A.; Bassil, C. DDoS attack detection and mitigation in SDN using machine learning. In Proceedings of the 2021 IEEE 7th International Conference on Network Softwarization (NetSoft), Tokyo, Japan, 28 June-2 July 2021; IEEE: New York, NY, USA, 2021; pp. 395-401.
    Khashab, F.; Moubarak, J.; Feghali, A.; Bassil, C. DDoS 攻擊偵測與緩解在 SDN 中使用機器學習。In Proceedings of the 2021 IEEE 7th International Conference on Network Softwarization (NetSoft), Tokyo, Japan, 28 June-2 July 2021; IEEE: New York, NY, USA, 2021; pp.
  39. Dong, S.; Sarem, M. DDoS attack detection method based on improved KNN with the degree of DDoS attack in software-defined networks. IEEE Access 2019, 8, 5039-5048. [CrossRef]
    Dong, S.; Sarem, M. 軟體定義網路中基於改良 KNN 與 DDoS 攻擊程度的 DDoS 攻擊偵測方法。IEEE Access 2019, 8, 5039-5048.[CrossRef]
  40. Latah, M.; Toker, L. Towards an efficient anomaly-based intrusion detection for software-defined networks. IET Netw. 2018, 7, 453-459. [CrossRef]
    Latah, M.; Toker, L. Towards an efficient anomaly-based intrusion detection for software-defined networks.IET Netw. 2018, 7, 453-459.[CrossRef]
  41. Nam, T.M.; Phong, P.H.; Khoa, T.D.; Huong, T.T.; Nam, P.N.; Thanh, N.H.; Thang, L.X.; Tuan, P.A.; Dung, L.Q.; Loi, V.D. Selforganizing map-based approaches in DDoS flooding detection using SDN. In Proceedings of the 2018 International Conference on Information Networking (ICOIN), Chiang Mai, Thailand, 10-12 January 2018; IEEE: New York, NY, USA, 2018; pp. 249-254.
    Nam, T.M.; Phong, P.H.; Khoa, T.D.; Huong, T.T.; Nam, P.N.; Thanh, N.H.; Thang, L.X.; Tuan, P.A.; Dung, L.Q.; Loi, V.D. Selforganizing map-based approaches in DDoS flooding detection using SDN.In Proceedings of the 2018 International Conference on Information Networking (ICOIN), Chiang Mai, Thailand, 10-12 January 2018; IEEE: New York, NY, USA, 2018; pp.
  42. Hnamte, V.; Balram, G. Implementation of Naive Bayes Classifier for Reducing DDoS Attacks in IoT Networks. J. Algebr. Stat. 2022, 13, 2749-2757.
    Hnamte, V.; Balram, G. Implementation of Naive Bayes Classifier for Reducing DDoS Attacks in IoT Networks.2022, 13, 2749-2757.
  43. Nadeem, M.W.; Goh, H.G.; Ponnusamy, V.; Aun, Y. DDoS Detection in SDN using Machine Learning Techniques. Comput. Mater. Contin. 2022, 71, 1. [CrossRef]
    Nadeem, M.W.; Goh, H.G.; Ponnusamy, V.; Aun, Y. DDoS Detection in SDN using Machine Learning Techniques.Comput.Mater.Contin.2022, 71, 1. [CrossRef].
  44. Alubaidan, H.; Alzaher, R.; AlQhatani, M.; Mohammed, R. DDoS Detection in Software-Defined Network (SDN) Using Machine Learning. Int. J. Cybern. Inform. 2023, 12, 93-104. [CrossRef]
    Alubaidan, H.; Alzaher, R.; AlQhatani, M.; Mohammed, R. DDoS Detection in Software-Defined Network (SDN) Using Machine Learning.Int.J. Cybern.Inform.2023, 12, 93-104.[CrossRef] (英文)
  45. Wang, J.; Wang, L. SDN-Defend: A Lightweight Online Attack Detection and Mitigation System for DDoS Attacks in SDN. Sensors 2022, 22, 8287. [CrossRef] [PubMed]
    Wang, J.; Wang, L. SDN-Defend: A Lightweight Online Attack Detection and Mitigation System for DDoS Attacks in SDN.Sensors 2022, 22, 8287.[CrossRef] [PubMed] (英文)
  46. Wang, J.; Wang, L.; Wang, R. A Method of DDoS Attack Detection and Mitigation for the Comprehensive Coordinated Protection of SDN Controllers. Entropy 2023, 25, 1210. [CrossRef]
    Wang, J.; Wang, L.; Wang, R. A Method of DDoS Attack Detection and Mitigation for the Comprehensive Coordinated Protection of SDN Controller.Entropy 2023, 25, 1210.[CrossRef] (英文)
  47. Jmal, R.; Ghabri, W.; Guesmi, R.; Alshammari, B.M.; Alshammari, A.S.; Alsaif, H. Distributed Blockchain-SDN Secure IoT System Based on ANN to Mitigate DDoS Attacks. Appl. Sci. 2023, 13, 4953. [CrossRef]
    Jmal, R.; Ghabri, W.; Guesmi, R.; Alshammari, B.M.; Alshammari, A.S.; Alsaif, H. Distributed Blockchain-SDN Secure IoT System Based on ANN to Mitigate DDoS Attacks.Appl. Sci. 2023, 13, 4953.[CrossRef]
  48. Priyadarshini, I.; Mohanty, P.; Alkhayyat, A.; Sharma, R.; Kumar, S. SDN and application layer DDoS attacks detection in IoT devices by attention-based Bi-LSTM-CNN. Trans. Emerg. Telecommun. Technol. 2023, 34, e4758. [CrossRef]
    Priyadarshini, I.; Mohanty, P.; Alkhayyat, A.; Sharma, R.; Kumar, S. SDN and application layer DDoS attacks detection in IoT devices by attention-based Bi-LSTM-CNN.Trans.Emerg.Telecommun.Technol.2023, 34, e4758.[CrossRef]
  49. Li, C.; Wu, Y.; Yuan, X.; Sun, Z.; Wang, W.; Li, X.; Gong, L. Detection and defense of DDoS attack-based on deep learning in OpenFlow-based SDN. Int. J. Commun. Syst. 2018, 31, e3497. [CrossRef]
    Li, C.; Wu, Y.; Yuan, X.; Sun, Z.; Wang, W.; Li, X.; Gong, L. Detection and defense of DDoS attack based on deep learning in OpenFlow-based SDN.Int.J. Commun.Syst.2018, 31, e3497.[CrossRef].
  50. Bastola, S.B.; Shakya, S.; Sharma, S. Distributed Denial of Service Attack Detection on Software Defined Networking Using Deep Learning. In Proceedings of the 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI), Udupi, India, 13-16 September 2017.
    Bastola, S.B.; Shakya, S.; Sharma, S. Distributed Denial of Service Attack Detection on Software Defined Networking Using Deep Learning.In Proceedings of the 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI), Udupi, India, 13-16 September 2017.
  51. Makuvaza, A.; Jat, D.S.; Gamundani, A.M. Deep neural network (DNN) solution for real-time detection of distributed denial of service (DDoS) attacks in software defined networks (SDNs). SN Comput. Sci. 2021, 2, 1-10. [CrossRef]
    Makuvaza, A.; Jat, D.S.; Gamundani, A.M. Deep neural network (DNN) solution for real-time detection of distributed denial of service (DDoS) attacks in software defined networks (SDNs).SN Comput.2021, 2, 1-10.[CrossRef] (英文)
  52. Zhao, J.; Xu, M.; Chen, Y.; Xu, G. A DNN Architecture Generation Method for DDoS Detection via Genetic Alogrithm. Future Internet 2023, 15, 122. [CrossRef]
    Zhao, J.; Xu, M.; Chen, Y.; Xu, G. A DNN Architecture Generation Method for DDoS Detection via Genetic Alogrithm.未來網路 2023, 15, 122.[CrossRef] (英文)
  53. Al-Dunainawi, Y.; Al-Kaseem, B.R.; Al-Raweshidy, H.S. Optimized Artificial Intelligence Model for DDoS Detection in SDN Environment. IEEE Access 2023, 11, 106733-106748. [CrossRef]
    Al-Dunainawi, Y.; Al-Kaseem, B.R.; Al-Raweshidy, H.S. Optimized Artificial Intelligence Model for DDoS Detection in SDN Environment.IEEE Access 2023, 11, 106733-106748.[CrossRef].
  54. Aslam, M.; Ye, D.; Tariq, A.; Asad, M.; Hanif, M.; Ndzi, D.; Chelloug, S.A.; Elaziz, M.A.; Al-Qaness, M.A.A.; Jilani, S.F. Adaptive Machine Learning Based Distributed Denial-of-Services Attacks Detection and Mitigation System for SDN-Enabled IoT. Sensors 2022, 22, 2697. [CrossRef]
    Aslam, M.; Ye, D.; Tariq, A.; Asad, M.; Hanif, M.; Ndzi, D.; Chelloug, S.A.; Elaziz, M.A.; Al-Qaness, M.A.A.; Jilani, S.F. Adaptive Machine Learning Based Distributed Denial-of-Services Attacks Detection and Mitigation System for SDN-Enabled IoT.Sensors 2022, 22, 2697.[CrossRef] (英文)
  55. Zhijun, W.; Qing, X.; Jingjie, W.; Meng, Y.; Liang, L. Low-rate DDoS attack detection based on factorization machine in software defined network. IEEE Access 2020, 8, 17404-17418. [CrossRef]
    Zhijun, W.; Qing, X.; Jingjie, W.; Meng, Y.; Liang, L. Low-rate DDoS attack detection based on factorization machine in software defined network.IEEE Access 2020, 8, 17404-17418.[CrossRef] (英文)
  56. Li, J.; Liu, Y.; Gu, L. DDoS attack detection based on neural network. In Proceedings of the 2010 2nd International Symposium on Aware Computing, Tainan, Taiwan, 1-4 November 2010; IEEE: New York, NY, USA, 2010; pp. 196-199.
    Li, J.; Liu, Y.; Gu, L. 基於神經網路的 DDoS 攻擊偵測。In Proceedings of the 2010 2nd International Symposium on Aware Computing, Tainan, Taiwan, 1-4 November 2010; IEEE: New York, NY, USA, 2010; pp.
  57. Malik, J.; Akhunzada, A.; Bibi, I.; Imran, M.; Musaddiq, A.; Kim, S.W. Hybrid deep learning: An efficient reconnaissance and surveillance detection mechanism in SDN. IEEE Access 2020, 8, 134695-134706. [CrossRef]
    Malik, J.; Akhunzada, A.; Bibi, I.; Imran, M.; Musaddiq, A.; Kim, S.W. Hybrid deep learning:SDN 中的高效偵察與監控偵測機制。IEEE Access 2020, 8, 134695-134706.[CrossRef]。
  58. Cui, Y.; Yan, L.; Li, S.; Xing, H.; Pan, W.; Zhu, J.; Zheng, X. SD-Anti-DDoS: Fast and efficient DDoS defense in software-defined networks. J. Netw. Comput. Appl. 2016, 68, 65-79. [CrossRef]
    Cui, Y.; Yan, L.; Li, S.; Xing, H.; Pan, W.; Zhu, J.; Zheng, X. SD-Anti-DDoS:軟體定義網路中快速有效的 DDoS 防禦。J. Netw.Comput.2016, 68, 65-79.[CrossRef] (英文)
  59. Deepa, V.; Sivakumar, B. Detection of DDoS Attack using Multiple Kernel Level (MKL) Algorithm. In Proceedings of the 2022 International Conference on Innovative Trends in Information Technology (ICITIIT), Kottayam, India, 12-13 February 2022; IEEE: New York, NY, USA, 2022; pp. 1-5.
    Deepa, V.; Sivakumar, B. Detection of DDoS Attack using Multiple Kernel Level (MKL) Algorithm.In Proceedings of the 2022 International Conference on Innovative Trends in Information Technology (ICITIIT), Kottayam, India, 12-13 February 2022; IEEE: New York, NY, USA, 2022; pp.
  60. Qi, N.; Wang, W.; Xiao, M.; Jia, L.; Tsiftsis, T. A Learning-Based Spectrum Access Stackelberg Game: Friendly Jammer-Assisted Communication Confrontation. IEEE Trans. Veh. Technol. 2021, 70, 700-713. [CrossRef]
    Qi, N.; Wang, W.; Xiao, M.; Jia, L.; Tsiftsis, T. A Learning-Based Spectrum Access Stackelberg Game:友好干擾器輔助通信對抗。IEEE Trans.Veh.Technol.2021, 70, 700-713.[CrossRef] (英文)
  61. Jia, L.; Xu, Y.; Sun, Y.; Feng, S.; Anpalagan, A. Stackelberg Game Approaches for Anti-Jamming Defence in Wireless Networks. IEEE Wirel. Commun. 2018, 25, 120-128. [CrossRef]
    Jia, L.; Xu, Y.; Sun, Y.; Feng, S.; Anpalagan, A. Stackelberg Game Approaches for Anti-Jamming Defence in Wireless Networks.IEEE Wirel.Commun.2018, 25, 120-128.[CrossRef] (英文)
  62. Yao, R.; Zhang, Y.; Wang, S.; Qi, N.; Miridakis, N.I.; Tsiftsis, T.A. Deep Neural Network Assisted Approach for Antenna Selection in Untrusted Relay Networks. IEEE Wirel. Commun. Lett. 2019, 8, 1644-1647. [CrossRef]
    Yao, R.; Zhang, Y.; Wang, S.; Qi, N.; Miridakis, N.I.; Tsiftsis, T.A. Deep Neural Network Assisted Approach for Antenna Selection in Untrusted Relay Networks.IEEE Wirel.IEEE Wirel.Lett. 2019, 8, 1644-1647.[CrossRef] (英文)
  63. Hu, D.; Hong, P.; Chen, Y. FADM: DDoS flooding attack detection and mitigation system in software-defined networking. In Proceedings of the GLOBECOM 2017-2017 IEEE Global Communications Conference, Singapore, 4-8 December 2017; IEEE: New York, NY, USA, 2017; pp. 1-7.
    Hu, D.; Hong, P.; Chen, Y. FADM:軟體定義網路中的 DDoS 氾濫攻擊偵測與緩解系統。In Proceedings of the GLOBECOM 2017-2017 IEEE Global Communications Conference, Singapore, 4-8 December 2017; IEEE: New York, NY, USA, 2017; pp.
  64. Guozi Sun Jiang, W.; Yu, G.U.; Danni, R.E.N.; Huakang, L.I. DDoS attacks and flash event detection based on flow characteristics in SDN. In Proceedings of the 2018 15th IEEE International Conference on Advanced Video and Signal Based Surveillance (AVSS), Auckland, New Zealand, 27-30 November 2018; IEEE: New York, NY, USA, 2018; pp. 1-6.
    Guozi Sun Jiang, W.; Yu, G.U.; Danni, R.E.N.; Huakang, L.I. DDoS 攻擊與 SDN 中基於流量特性的閃事件偵測。In Proceedings of the 2018 15th IEEE International Conference on Advanced Video and Signal Based Surveillance (AVSS), Auckland, New Zealand, 27-30 November 2018; IEEE: New York, NY, USA, 2018; pp.
  65. Novaes, M.P.; Carvalho, L.F.; Lloret, J.; Proenca, M.L. Long short-term memory and fuzzy logic for anomaly detection and mitigation in software-defined network environment. IEEE Access 2020, 8, 83765-83781. [CrossRef]
    Novaes, M.P.; Carvalho, L.F.; Lloret, J.; Proenca, M.L. Long short-term memory and fuzzy logic for anomaly detection and mitigation in software-defined network environment.IEEE Access 2020, 8, 83765-83781.[CrossRef] (英文)
  66. Banitalebi Dehkordi, A.; Soltanaghaei, M.R.; Boroujeni, F.Z. The DDoS attacks detection through machine learning and statistical methods in SDN. J. Supercomput. 2021, 77, 2383-2415. [CrossRef]
    Banitalebi Dehkordi, A.; Soltanaghaei, M.R.; Boroujeni, F.Z. The DDoS attacks detection through machine learning and statistical methods in SDN.J. Supercomput.2021, 77, 2383-2415.[CrossRef] (英文)
  67. Long, Z.; Jinsong, W. A hybrid method of entropy and SSAE-SVM based DDoS detection and mitigation mechanism in SDN. Comput. Secur. 2022, 115, 102604. [CrossRef]
    Long, Z.; Jinsong, W. A hybrid method of entropy and SSAE-SVM based DDoS detection and mitigation mechanism in SDN.Comput.Secur.2022, 115, 102604.[CrossRef]。
  68. Singh, A.K.; Jaiswal, R.K.; Abdukodir, K.; Muthanna, A. Ardefense: DDos detection and prevention using nfv and sdn. In Proceedings of the 2020 12th International Congress on Ultra Mod Ern Telecommunications and Control Systems and Workshops (ICUMT), Brno, Czech Republic, 5-7 October 2020; IEEE: New York, NY, USA, 2020; pp. 236-241. [CrossRef]
    Singh, A.K.; Jaiswal, R.K.; Abdukodir, K.; Muthanna, A. Ardefense:使用 nfv 和 sdn 檢測和預防 DDos。In Proceedings of the 2020 12th International Congress on Ultra Mod Ern Telecommunications and Control Systems and Workshops (ICUMT), Brno, Czech Republic, 5-7 October 2020; IEEE: New York, NY, USA, 2020; pp.[CrossRef] (英文)
  69. Ali, A.; Yousaf, M.M. Novel three-tier intrusion detection and prevention system in software defined network. IEEE Access 2020, 8, 109662-109676. [CrossRef]
    Ali, A.; Yousaf, M.M. 軟體定義網路中的新型三層入侵偵測與防禦系統。IEEE Access 2020, 8, 109662-109676.[CrossRef] (英文)
  70. Sarwar, M.A.; Hussain, M.; Anwar, M.U.; Ahmad, M. FlowJustifier: An optimized trust-based request prioritization approach for mitigation of SDN controller DDoS attacks in the IoT paradigm. In Proceedings of the 3rd International Conference on Future Networks and Distributed Systems, Paris, France, 1-2 July 2019; pp. 1-9.
    Sarwar, M.A.; Hussain, M.; Anwar, M.U.; Ahmad, M. FlowJustifier:物聯網範例中,用於緩解 SDN 控制器 DDoS 攻擊的最佳化信任式請求優先順序處理方法。In Proceedings of the 3rd International Conference on Future Networks and Distributed Systems, Paris, France, 1-2 July 2019; pp.
  71. Deng, S.; Gao, X.; Lu, Z.; Li, Z.; Gao, X. DoS vulnerabilities and mitigation strategies in software-defined networks. J. Netw. Comput. Appl. 2019, 125, 209-219. [CrossRef]
    Deng, S.; Gao, X.; Lu, Z.; Li, Z.; Gao, X. DoS 漏洞與軟體定義網路的緩解策略。J. Netw.Comput.Appl. 2019, 125, 209-219.[CrossRef] (英文)
  72. Ravi, N.; Shalinie, S.M.; Lal, C.; Conti, M. AEGIS: Detection and mitigation of TCP SYN flood on SDN controller. IEEE Trans. Netw. Serv. Manag. 2020, 18, 745-759. [CrossRef]
    Ravi, N.; Shalinie, S.M.; Lal, C.; Conti, M. AEGIS:SDN 控制器上 TCP SYN 氾濫的偵測與緩解。IEEE Trans.Netw.Serv.Manag.2020, 18, 745-759.[CrossRef]
  73. Cao, Y.; Jiang, H.; Deng, Y.; Wu, J.; Zhou, P.; Luo, W. Detecting and mitigating ddos attacks in SDN using spatial-temporal graph convolutional network. IEEE Trans. Dependable Secur. Comput. 2021, 19, 3855-3872. [CrossRef]
    Cao, Y.; Jiang, H.; Deng, Y.; Wu, J.; Zhou, P.; Luo, W.. Detecting and mitigating ddos attacks in SDN using spatial-temporal graph convolutional network.IEEE Trans.Dependable Secur.Comput.2021, 19, 3855-3872.[CrossRef] (英文)
  74. Wang, M.; Zhou, H.; Chen, J.; Tong, B. An approach for protecting the openflow switch from the saturation attack. In Proceedings of the 2015 4th National Conference on Electrical, Electronics and Computer Engineering, Xi’an, China, 12-13 December 2015; Atlantis Press: Dordrecht, The Netherlands, 2015.
    Wang, M.; Zhou, H.; Chen, J.; Tong, B. An approach for protecting the openflow switch from the saturation attack.In Proceedings of the 2015 4th National Conference on Electrical, Electronics and Computer Engineering, Xi'an, China, 12-13 December 2015; Atlantis Press:Dordrecht, The Netherlands, 2015.
  75. Bawany, N.Z.; Shamsi, J.A. Seal: Sdn based secure and agile framework for protecting smart city applications from ddos attacks. J. Netw. Comput. Appl. 2019, 145, 102381. [CrossRef]
    Bawany, N.Z.; Shamsi, J.A. Seal:基於 Sdn 的安全敏捷框架,用於保護智慧城市應用程式免受 ddos 攻擊。J. Netw.Comput.Appl. 2019, 145, 102381.[CrossRef].
  76. Yuan, B.; Zou, D.; Yu, S.; Jin, H.; Qiang, W.; Shen, J. Defending against flow table overloading attack in software-defined networks. IEEE Trans. Serv. Comput. 2016, 12, 231-246. [CrossRef]
    在軟體定義網路中防禦流量表超載攻擊。IEEE Trans.Serv.Comput.2016, 12, 231-246.[CrossRef] (英文)
  77. Bhushan, K.; Gupta, B.B. Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment. J. Ambient. Intell. Humaniz. Comput. 2019, 10, 1985-1997. [CrossRef]
    Bhushan, K.; Gupta, B.B. Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment.J. Ambient.Intell.Humaniz.Comput.2019, 10, 1985-1997.[CrossRef] (英文)
  78. Katta, N.; Alipourfard, O.; Rexford, J.; Walker, D. Infinite CacheFlow in software-defined networks. In Proceedings of the Third Workshop on Hot Topics in Software Defined Networking (HotSDN’14), Chicago, IL, USA, 22 August 2014; Association for Computing Machinery: New York, NY, USA, 2014; pp. 175-180.
    Katta, N.; Alipourfard, O.; Rexford, J.; Walker, D. 軟體定義網路中的 Infinite CacheFlow。In Proceedings of the Third Workshop on Hot Topics in Software Defined Networking (HotSDN'14), Chicago, IL, USA, 22 August 2014; Association for Computing Machinery:New York, NY, USA, 2014; pp.
  79. Dang, V.T.; Huong, T.T.; Thanh, N.H.; Nam, P.N.; Thanh, N.N.; Marshall, A. Sdn-based synproxy-A solution to enhance performance of attack mitigation under tcp syn flood. Comput. J. 2019, 62, 518-534. [CrossRef]
    Dang, V.T.; Huong, T.T.; Thanh, N.H.; Nam, P.N.; Thanh, N.N.; Marshall, A. Sdn-based synproxy-A solution to enhance performance of attack mitigation under tcp syn flood.Comput.J. 2019, 62, 518-534.[CrossRef].
  80. Pascoal, T.A.; Dantas, Y.G.; Fonseca, I.E.; Nigam, V. Slow TCAM exhaustion DDoS attack. In Proceedings of the IFIP International Conference on ICT Systems Security and Privacy Protection, Rome, Italy, 29-31 May 2017; Springer: Cham, Switzerland, 2017; pp. 17-31.
    Pascoal, T.A.; Dantas, Y.G.; Fonseca, I.E.; Nigam, V. Slow TCAM exhaustion DDoS attack.In Proceedings of the IFIP International Conference on ICT Systems Security and Privacy Protection, Rome, Italy, 29-31 May 2017; Springer:Cham, Switzerland, 2017; pp.
  81. Ma, D.; Xu , Z Xu , Z Xu,Z\mathrm{Xu}, \mathrm{Z}.; Lin, D. Defending blind DDoS attack on SDN based on moving target defense. In Proceedings of the International Conference on Security and Privacy in Communication Networks, Beijing, China, 24-26 September 2014; Springer: Cham, Switzerland, 2014; pp. 463-480.
    Ma, D.; Xu , Z Xu , Z Xu,Z\mathrm{Xu}, \mathrm{Z} .; Lin, D. 基於移動目標防禦在 SDN 上防禦盲目 DDoS 攻擊。In Proceedings of the International Conference on Security and Privacy in Communication Networks, Beijing, China, 24-26 September 2014; Springer:Cham, Switzerland, 2014; pp.
  82. Abou El Houda, Z.; Khoukhi, L.; Hafid, A.S. Bringing intelligence to software defined networks: Mitigating ddos attacks. IEEE Trans. Netw. Serv. Manag. 2020, 17, 2523-2535. [CrossRef]
    Abou El Houda, Z.; Khoukhi, L.; Hafid, A.S. Bringing intelligence to software defined networks:緩解 DDOS 攻擊。IEEE Trans.Netw.Serv.Manag.2020, 17, 2523-2535.[CrossRef]
  83. Hong, G.C.; Lee, C.N.; Lee, M.F. Dynamic threshold for DDoS mitigation in SDN environment. In Proceedings of the 2019 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC), Lanzhou, China, 18-21 November 2019; IEEE: New York, NY, USA, 2019; pp. 1-7.
    Hong, G.C.; Lee, C.N.; Lee, M.F. Dynamic threshold for DDoS mitigation in SDN environment.In Proceedings of the 2019 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC), Lanzhou, China, 18-21 November 2019; IEEE: New York, NY, USA, 2019; pp.
  84. Alamri, H.A.; Thayananthan, V. Bandwidth control mechanism and extreme gradient boosting algorithm for protecting softwaredefined networks against ddos attacks. IEEE Access 2020, 8, 194269-194288. [CrossRef]
    Alamri, H.A.; Thayananthan, V. Bandwidth control mechanism and extreme gradient boosting algorithm for protecting softwaredefined networks against ddos attacks.IEEE Access 2020, 8, 194269-194288.[CrossRef]
  85. Wang, L.; Li, Q.; Jiang, Y.; Jia, X.; Wu, J. Woodpecker: Detecting and mitigating link-flooding attacks via sdn. Comput. Netw. 2018, 147, 1-13. [CrossRef]
    Wang, L.; Li, Q.; Jiang, Y.; Jia, X.; Wu, J. Woodpecker:透過 sdn 檢測和緩解鏈路灌水攻擊。Comput.Netw. 2018, 147, 1-13.[CrossRef].
  86. Weizhen, L.; Hailong, L.; Kaiyu, H. End jump technology research review. Comput. Appl. Res. 2021, 38, 2251-2257. [CrossRef]
    Weizhen, L.; Hailong, L.; Kaiyu, H. End Jump Technology Research Review.Comput.2021, 38, 2251-2257.[CrossRef].
  87. Atighetchi, M.; Pal, P.; Webber, F.; Jones, C. Adaptive use of network-centric mechanisms in cyber-defense. In Proceedings of the Sixth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing, Hokkaido, Japan, 16 May 2003; IEEE: New York, NY, USA, 2003; pp. 183-192.
    Atighetchi, M.; Pal, P.; Webber, F.; Jones, C. Adaptive use of network-centric mechanisms in cyber-defense.In Proceedings of the Sixth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing, Hokkaido, Japan, 16 May 2003; IEEE: New York, NY, USA, 2003; pp.
  88. Leyi, S.; Chunfu, J.; Shuwang, L. Research on Active Network Protection Based on Terminal Information Jump. J. Commun. 2008, 2, 106-110.
    Leyi, S.; Chunfu, J.; Shuwang, L. 《基於終端資訊跳轉的主動網路保護研究》.J. Commun.2008, 2, 106-110.
  89. Badishi, G.; Herzberg, A.; Keidar, I. Keeping denial-of-service attackers in the dark. IEEE Trans. Dependable Secur. Comput. 2007, 4, 191-204. [CrossRef]
    Badishi, G.; Herzberg, A.; Keidar, I. Keeping denial-of-service attackers in the dark.IEEE Trans.Dependable Secur.Comput.2007, 4, 191-204.[CrossRef] (英文)
  90. Zhang, L.; Guo, Y.; Yuwen, H.; Wang, Y. A port hopping based dos mitigation scheme in SDN network. In Proceedings of the 2016 12th International Conference on Computational Intelligence and Security (CIS), Wuxi, China, 16-19 December 2016; IEEE: New York, NY, USA, 2016; pp. 314-317.
    Zhang, L.; Guo, Y.; Yuwen, H.; Wang, Y. A port hopping based dos mitigation scheme in SDN network.In Proceedings of the 2016 12th International Conference on Computational Intelligence and Security (CIS), Wuxi, China, 16-19 December 2016; IEEE: New York, NY, USA, 2016; pp.
  91. Chowdhary, A.; Alshamrani, A.; Huang, D.; Liang, H. MTD analysis and evaluation framework in software defined network (MASON). In Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, Tempe, AZ, USA, 21 March 2018; pp. 43-48.
    Chowdhary, A.; Alshamrani, A.; Huang, D.; Liang, H. 軟體定義網路中的 MTD 分析與評估框架 (MASON)。In Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, Tempe, AZ, USA, 21 March 2018; pp.
  92. Ziyu, Z.; Erdian, G.; Wei, L. Research on encryption-based port jump technology in software-defined network. Comput. Appl. Softw. 2017, 34, 322-328.
    Ziyu, Z.; Erdian, G.; Wei, L. 軟體定義網路中基於加密的連接埠跳轉技術研究。Comput.Appl.2017, 34, 322-328.
  93. Sifalakis, M.; Schmid, S.; Hutchison, D. Network address hopping: A mechanism to enhance data protection for packet communications. In Proceedings of the IEEE International Conference on Communications, ICC 2005, Seoul, Republic of Korea, 16-20 May 2005; IEEE: New York, NY, USA, 2005; Volume 3, pp. 1518-1523.
    Sifalakis, M.; Schmid, S.; Hutchison, D. Network address hopping:加強封包通訊資料保護的機制。In Proceedings of the IEEE International Conference on Communications, ICC 2005, Seoul, Republic of Korea, 16-20 May 2005; IEEE: New York, NY, USA, 2005; Volume 3, pp.
  94. Zheng, K.; Zhao, X.; Li, X.; Zhou, Y. A SDN-based IP Address Hopping Method Design. In Proceedings of the 2016 5th International Conference on Measurement, Instrumentation and Automation (ICMIA 2016), Shenzhen, China, 17-18 September 2016; Atlantis Press: New York, NY, USA, 2016.
    Zheng, K.; Zhao, X.; Li, X.; Zhou, Y. A SDN-based IP Address Hopping Method Design.In Proceedings of the 2016 5th International Conference on Measurement, Instrumentation and Automation (ICMIA 2016), Shenzhen, China, 17-18 September 2016; Atlantis Press:New York, NY, USA, 2016.
  95. De, T.; Wei, L. SDN address hopping scheme based on chaotic sequence. Comput. Digit. Eng. 2018, 46, 2315-2318.
    De, T.; Wei, L. 基於混沌序列的 SDN 位址跳躍方案。Comput.Digit.Eng. 2018, 46, 2315-2318.
  96. Chang, S.Y.; Park, Y.; Babu, B.B.A. Fast IP hopping randomization to secure hop-by-hop access in SDN. IEEE Trans. Netw. Serv. Manag. 2018, 16, 308-320. [CrossRef]
    Chang, S.Y.; Park, Y.; Babu, B.B.A. Fast IP hopping randomization to secure hop-by-hop access in SDN.IEEE Trans.Netw.Serv.Manag.2018, 16, 308-320.[CrossRef]
  97. Xu, X.; Hu, H.; Liu, Y.; Zhang, H.; Chang, D. An Adaptive IP Hopping Approach for Moving Target Defense Using a Light-Weight CNN Detector. Secur. Commun. Netw. 2021, 2021, 8848473. [CrossRef]
    Xu, X.; Hu, H.; Liu, Y.; Zhang, H.; Chang, D. An Adaptive IP Hopping Approach for Moving Target Defense Using a Light-Weight CNN Detector.Secur.Commun.2021, 2021, 8848473.[CrossRef].
  98. Lou, W.; Li, H.; Hu, K.; Liu, M.; Dong, Q. Flow count synchronous SDN address hopping technology based on DH-RSA negotiation. In Proceedings of the 2021 International Conference on Neural Networks, Information and Communication Engineering, Qingdao, China, 27-28 August 2021; SPIE: Bellingham, WA, USA, 2021; Volume 11933, pp. 251-259.
    Lou, W.; Li, H.; Hu, K.; Liu, M.; Dong, Q. 基於 DH-RSA 協商的流量計同步 SDN 地址跳轉技術。In Proceedings of the 2021 International Conference on Neural Networks, Information and Communication Engineering, Qingdao, China, 27-28 August 2021; SPIE: Bellingham, WA, USA, 2021; Volume 11933, pp.
  99. Jinglei, T.; Hongqi, Z.; Cheng, L.; Zhang, Y.; Chang, D.; Liu, X.; Zhang, H. Research progress on moving target defense technology for SDN. J. Netw. Inf. Secur. 2018, 4, 12.
    Jinglei, T.; Hongqi, Z.; Cheng, L.; Zhang, Y.; Chang, D.; Liu, X.; Zhang, H. Research progress on moving target defense technology for SDN.J. Netw.Inf.Secur.2018, 4, 12.
  100. Shi, L.; Jia, C.; Lü, S.; Liu, Z. Port and address hopping for active cyber-defense. In Proceedings of the Pacific-Asia Workshop on Intelligence and Security Informatics, Chengdu, China, 11-12 April 2007; Springer: Berlin/Heidelberg, Germany, 2007; pp. 295-300.
    Shi, L.; Jia, C.; Lü, S.; Liu, Z. Port and address hopping for active cyber-defense.In Proceedings of the Pacific-Asia Workshop on Intelligence and Security Informatics, Chengdu, China, 11-12 April 2007; Springer: Berlin/Heidelberg, Germany, 2007; pp.
  101. Yixun, H.; Kangfeng, Z.; Yixian, Y.; Xinxin, N. Network Layer Moving Target Defense Scheme based on OpenFlow. J. Commun. 2017, 38, 102-112.
    Yixun, H.; Kangfeng, Z.; Yixian, Y.; Xinxin, N. 基於 OpenFlow 的網路層移動目標防禦方案。J. Commun.2017, 38, 102-112.
  102. Liu, Z.; He, Y.; Wang, W.; Wang, S.; Li, X.; Zhang, B. AEH-MTD: Adaptive moving target defense scheme for SDN. In Proceedings of the 2019 IEEE International Conference on Smart Internet of Things (SmartIoT), Tianjin, China, 9-11 August 2019; IEEE: New York, NY, USA, 2019; pp. 142-147.
    Liu, Z.; He, Y.; Wang, W.; Wang, S.; Li, X.; Zhang, B. AEH-MTD: Adaptive moving target defense scheme for SDN.In Proceedings of the 2019 IEEE International Conference on Smart Internet of Things (SmartIoT), Tianjin, China, 9-11 August 2019; IEEE: New York, NY, USA, 2019; pp.
  103. Yuyang, Z.; Guang, C.; Chunsheng, G.; Mian, D. Moving targets defense attack surface dynamic transfer technology research review. J. Softw. 2018, 29, 2799-2820.
    Yuyang, Z.; Guang, C.; Chunsheng, G.; Mian, D. Moving targets defense attack surface dynamic transfer technology research review.J. Softw.2018, 29, 2799-2820.
  104. Lixia, X.; Ying, D. Link SDN flooding attack moving targets defense mechanism. J. Tsinghua Univ. 2019, 59, 36-43. [CrossRef]
    Lixia, X.; Ying, D. Link SDN 泛洪攻擊移動目標防禦機制.J. Tsinghua Univ. 2019, 59, 36-43.[CrossRef].
  105. Liu, J.; Zhang, H.; Guo, Z. A defense mechanism of random routing mutation in SDN. IEICE Trans. Inf. Syst. 2017, 100, 1046-1054. [CrossRef]
    SDN 中隨機路由突變的防禦機制。IEICE Trans.Inf.Syst.2017, 100, 1046-1054.[CrossRef].
  106. Hyder, M.F.; Fatima, T.; Khan, S.M.; Arshad, S. Countering crossfire DDoS attacks through moving target defense in SDN networks using OpenFlow traffic modification. Trans. Emerg. Telecommun. Technol. 2023, 34, e4853. [CrossRef]
    Hyder,M.F.;Fatima,T.;Khan,S.M.;Arshad,S. 使用 OpenFlow 流量修改透過 SDN 網路中的移動目標防禦來對抗交叉火力 DDoS 攻擊。Trans.Emerg.Telecommun.Technol.2023, 34, e4853.[CrossRef]
  107. Chowdhary, A.; Pisharody, S.; Alshamrani, A.; Huang, D. Dynamic game based security framework in SDN-enabled cloud networking environments. In Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, Scottsdale, AZ, USA, 24 March 2017; pp. 53-58.
    Chowdhary, A.; Pisharody, S.; Alshamrani, A.; Huang, D. 在 SDN 雲端網路環境中基於動態遊戲的安全框架。In Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, Scottsdale, AZ, USA, 24 March 2017; pp.
  108. Zhou, Y.; Cheng, G.; Jiang, S.; Chen, Z. Cost-effective moving target defense against DDoS attacks using trilateral game and multi-objective Markov decision processes. Comput. Secur. 2020, 97, 101976. [CrossRef]
    Zhou, Y.; Cheng, G.; Jiang, S.; Chen, Z. Cost-effective moving target defense against DDoS attacks using trilateral game and multi-objective Markov decision processes.Comput.Secur.2020, 97, 101976.[CrossRef]。
  109. Du, M.; Wang, K. An SDN-Enabled Pseudo-Honeypot Strategy for Distributed Denial of Service Attacks in Industrial Internet of Things. IEEE Trans. Ind. Inform. 2020, 16, 648-657. [CrossRef]
    Du, M.; Wang, K. An SDN-Enabled Pseudo-Honeypot Strategy for Distributed Denial of Service Attacks in Industrial Internet of Things.IEEE Trans.Ind.Inform.2020, 16, 648-657.[CrossRef] (英文)
  110. Priyadarsini, M.; Bera, P.; Das, S.K.; Rahman, M.A. A security enforcement framework for SDN controller using game theoretic approach. IEEE Trans. Dependable Secur. Comput. 2022, 20, 1500-1515. [CrossRef]
    Priyadarsini, M.; Bera, P.; Das, S.K.; Rahman, M.A. A security enforcement framework for SDN controller using game theoretic approach.IEEE Trans.Dependable Secur.Comput.2022, 20, 1500-1515.[CrossRef] (英文)
  111. Wang, Y.; Hu, T.; Tang, G.; Xie, J.; Lu, J. SGS: Safe-Guard Scheme for Protecting Control Plane Against DDoS Attacks in Software-Defined Networking. IEEE Access 2019, 7, 34699-34710. [CrossRef]
    Wang, Y.; Hu, T.; Tang, G.; Xie, J.; Lu, J. SGS:軟體定義網路中控制平面防禦 DDoS 攻擊的 Safe-Guard 方案。IEEE Access 2019, 7, 34699-34710.[CrossRef]
  112. Weizhen, H.; Fucai, C.; Jie, N.; Jinglei, T.; Shumin, H.; Guozhen, C. Research progress of Dynamic Jump Technology for Network Layer. J. Netw. Inf. Secur. 2021, 7, 44-55.
    Weizhen, H.; Fucai, C.; Jie, N.; Jinglei, T.; Shumin, H.; Guozhen, C. Research progress of Dynamic Jump Technology for Network Layer.J. Netw.Inf.Secur.2021, 7, 44-55.
  113. Bhatia, S.; Mohay, G.; Tickle, A.; Ahmed, E. Parametric differences between a real-world distributed denial-of-service attack and a flash event. In Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security, Vienna, Austria, 22-26 August 2011; IEEE: New York, NY, USA, 2011; pp. 210-217.
    Bhatia, S.; Mohay, G.; Tickle, A.; Ahmed, E. 真實世界分散式拒絕服務攻擊與閃電事件的參數差異。In Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security, Vienna, Austria, 22-26 August 2011; IEEE: New York, NY, USA, 2011; pp.
  114. Kai, L.; Junyong, L.; Meijuan, Y.; Yan, L.; Lizheng, G. A review on the Identification of DDoS attacks with Flash Crowd. Comput. Sci. 2015, 42, 313-316+322.
    凱,L.;俊勇,L.;美娟,Y.;彥,L.;立正,G.利用快閃人群識別 DDoS 攻擊的綜述。Comput.Sci. 2015, 42, 313-316+322.
  115. Jia, L.; Qi, N.; Chu, F.; Fang, S.; Wang, X.; Ma, S.; Feng, S. Game-theoretic learning anti-jamming approaches in wireless networks. IEEE Commun. Mag. 2022, 60, 60-66. [CrossRef]
    Jia, L.; Qi, N.; Chu, F.; Fang, S.; Wang, X.; Ma, S.; Feng, S. Game-theoretic learning anti-jamming approaches in wireless networks.IEEE Commun.Mag.2022, 60, 60-66.[CrossRef] (英文)
  116. ONF. Software-Defined Networking (SDN) Definition. Available online: https://opennetworking.org/sdn-resources/sdndefinition (accessed on 30 June 2022).
    ONF.軟體定義網路 (SDN) 定義。可於線上取得:https://opennetworking.org/sdn-resources/sdndefinition (於 2022 年 6 月 30 日存取)。
  117. European Telecommunications Standards Institute. Available online: http:/ /www.etsi.org/ (accessed on 30 June 2022).
    歐洲電信標準協會。網址:http://www.etsi.org/ (於 2022 年 6 月 30 日存取)。
  118. Kloti, R.; Kotronis, V.; Smith, P. OpenFlow: A security analysis. In Proceedings of the Twenty first IEEE International Conference on Network Protocols (ICNP), Göttingen, Germany, 7-10 October 2013; pp. 1-6.
    Kloti, R.; Kotronis, V.; Smith, P. OpenFlow: A security analysis.In Proceedings of the Twenty first IEEE International Conference on Network Protocols (ICNP), Göttingen, Germany, 7-10 October 2013; pp.
  119. Sjoholmsierchio, M.; Hale, B.; Lukaszewski, D.; Xie, G.G. Strengthening SDN security: Protocol dialecting and downgrade attacks. In Proceedings of the 2021 IEEE 7th International Conference on Network Softwarization (NetSoft), Tokyo, Japan, 28 June-2 July 2021; IEEE: New York, NY, USA, 2021; pp. 321-329.
    Sjoholmsierchio, M.; Hale, B.; Lukaszewski, D.; Xie, G.G. 強化 SDN 安全性:通訊協定方言和降級攻擊。In Proceedings of the 2021 IEEE 7th International Conference on Network Softwarization (NetSoft), Tokyo, Japan, 28 June-2 July 2021; IEEE: New York, NY, USA, 2021; pp.
  120. Yang, W.; Guang-ming, T.; Shuo, W.; Jiang, C. DDoS Attack Defense mechanism at SDN Application Layer based on API Call management. J. Netw. Inf. Secur. 2022, 8, 73-87.
    基於 API Call 管理的 SDN 應用層 DDoS 攻擊防禦機制。J. Netw.Inf.Secur.2022, 8, 73-87.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.
免責聲明/出版者聲明:所有刊物中的聲明、意見和資料僅代表個別作者和投稿者的個人觀點,與 MDPI 和/或編輯無關。MDPI 和/或編輯不對內容中提及的任何想法、方法、指示或產品所造成的任何人身或財產傷害負責。