Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

CATH: an effective method for detecting denial-of-service attacks in software defined networks


Software defined networks (SDNs) are innovative network frameworks that have recently received wide attention. Their programming flexibility facilitates automatic network management and control, thus mitigating existing issues in the traditional network architecture. However, SDNs face several security risks, in particular denial-of-service (DoS) attacks, the most common and serious network attacks. To address such a threat, an SDN-DoS attack detection method is proposed based on fusing multiple flow features for describing the network catastrophe between the normal and the attack state. Several statistic attributes of SDN flow information are first chosen as detection features; subsequently, the cusp model is used to establish a catastrophe equilibrium surface for SDN states. After being trained, the cusp catastrophe model can be utilized to infer whether an SDN is under DoS attack. The experimental results demonstrate that the method can effectively and timely perceive SDN-DoS attacks, not only in simple networks but also in larger enterprise networks.

This is a preview of subscription content, log in to check access.


  1. 1

    Nunes B A A, Mendonca M, Nguyen X N, et al. A survey of software-defined networking: past, present, and future of programmable networks. IEEE Commun Surv Tut, 2014, 16: 1617–1634

  2. 2

    Kreutz D, Ramos F, Verissimo P, et al. Software-defined networking: a comprehensive survey. Proc IEEE, 2015, 103: 14–76

  3. 3

    Kreutz D, Ramos F, Verissimo P. Towards secure and dependable software-defined networks. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, Hong Kong, 2013. 55–60

  4. 4

    Shin S, Gu G F. Attacking software-defined networks: a first feasibility study. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, Hong Kong, 2013. 165–166

  5. 5

    Kandoi R, Antikainen M. Denial-of-service attacks in OpenFlow SDN networks. In: Proceedings of IFIP/IEEE the 1st International Workshop on Security for Emerging Distributed Network Technologies (DISSECT), Ottawa, 2015. 1323–1326

  6. 6

    McKeown N, Anderson T, Balakrishnan H, et al. OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comp Commun Rev, 2008, 38: 69–74

  7. 7

    Yan Q, Yu F R, Gong Q, et al. Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun Surv Tut, 2016, 18: 602–622

  8. 8

    Shin S, Yegneswaran V, Porras P, et al. Avant-guard: scalable and vigilant switch flow management in softwaredefined networks. In: Proceedings of ACM SIGSAC Conference on Computer & Communications Security, Berlin, 2013. 413–424

  9. 9

    Wang H P, Xu L, Gu G F. FloodGuard: a DoS attack prevention extension in software-defined networks. In: Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2015

  10. 10

    Giotis K, Argyropoulos C, Androulidakis G, et al. Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput Netw, 2014, 62: 122–136

  11. 11

    Mousavi S M, St-Hilaire M. Early detection of DDoS attacks against SDN controllers. In: Proceedings of 2015 International Conference on Computing, Networking and Communications, Garden Grove, 2015. 77–81

  12. 12

    Braga R, Mota E, Passito A. Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: Proceedings of the 35th Annual IEEE Conference on Local Computer Networks, Denver, 2010. 408–415

  13. 13

    Yao L Y, Dong P, Zhang H K. Distributed denial of service attack detection based on object character in software defined network. Chin J Electron Inform Tech, 2017, 39: 381–388

  14. 14

    Porras P, Shin S, Yegneswaran V, et al. A security enforcement kernel for OpenFlow networks. In: Proceedings of SIGGCOMM 1st Workshop on HotSDN. New York: ACM, 2012. 121–126

  15. 15

    Shin S, Porras P, Yegneswaran V, et al. Fresco: modular composable security services for software-defined networks. In: Proceedings of NDSS, 2013. 1–15

  16. 16

    Yao G, Bi J, Xiao P Y. Source address validation solution with openflow nox architecture. In: Proceedings of the 19th IEEE International Conference on Network Protocols, Vancouver, 2011. 7–12

  17. 17

    Fayaz S K, Tobioka Y, Sekar V, et al. Bohatei: flexible and elastic DDoS defense. In: Proceedings of the 24th USENIX Conference on Security Symposium, Washington, 2015. 817–832

  18. 18

    Mirkovic J, Reiher P. A taxonomy of DDoS attack and DDoS defense mechanisms. Comput Commun Rev, 2004, 34: 39–53

  19. 19

    Zargar S T, Joshi J, Tipper D. A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun Surv Tut, 2013, 15: 2046–2069

  20. 20

    Huang Y, Geng X J, Whinston A B. Defeating DDoS attacks by fixing the incentive chain. ACM Trans Inter Tech, 2007, 7: 5

  21. 21

    Thom R. Structure stability, catastrophe theory, and applied mathematics. SIAM Rev, 1977, 19: 189–201

  22. 22

    Stamovlasis D. Catastrophe theory: methodology, epistemology, and applications in learning science. In: Complex Dynamical Systems in Education. Berlin: Springer, 2016. 141–175

  23. 23

    Guo R, Yin H, Wang D, et al. Research on the active DDoS filtering algorithm based on IP flow. In: Proceedings of IEEE 5th International Conference on Natural Computation, 2009. 628–632

  24. 24

    Gude N, Koponen T, Pettit J, et al. NOX: towards an operating system for networks. Comput Commun Rev, 2008, 38: 105–110

  25. 25

    Rauber A, Merkl D, Dittenbach M. The growing hierarchical self-organizing map: exploratory analysis of highdimensional data. IEEE Trans Neural Netw, 2002, 13: 1331–1341

  26. 26

    Ashraf J, Latif S. Handling intrusion and DDoS attacks in software defined networks using machine learning techniques. In: Proceedings of IEEE 2014 National Software Engineering Conference (NSEC), Event-Karachi, 2014. 55–60

Download references


This work was supported by National Natural Science Foundation of China (Grant Nos. 61402525, 61402526, 61502528), Key Scientific Research Projects of Henan Province Education Department (Grant No. 18A520004), and Henan Province Science and Technology Projects (Grant No. 182102310925). We also thank Zhong HUA for interesting and helpful discussion on the ideas presented here.

Author information

Correspondence to Yi Guo.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Guo, Y., Miao, F., Zhang, L. et al. CATH: an effective method for detecting denial-of-service attacks in software defined networks. Sci. China Inf. Sci. 62, 32106 (2019).

Download citation


  • DoS attacks
  • software defined network
  • flow features
  • cusp model
  • equilibrium surface