CATH: an effective method for detecting denial-of-service attacks in software defined networks


Software defined networks (SDNs) are innovative network frameworks that have recently received wide attention. Their programming flexibility facilitates automatic network management and control, thus mitigating existing issues in the traditional network architecture. However, SDNs face several security risks, in particular denial-of-service (DoS) attacks, the most common and serious network attacks. To address such a threat, an SDN-DoS attack detection method is proposed based on fusing multiple flow features for describing the network catastrophe between the normal and the attack state. Several statistic attributes of SDN flow information are first chosen as detection features; subsequently, the cusp model is used to establish a catastrophe equilibrium surface for SDN states. After being trained, the cusp catastrophe model can be utilized to infer whether an SDN is under DoS attack. The experimental results demonstrate that the method can effectively and timely perceive SDN-DoS attacks, not only in simple networks but also in larger enterprise networks.

This is a preview of subscription content, access via your institution.


  1. 1

    Nunes B A A, Mendonca M, Nguyen X N, et al. A survey of software-defined networking: past, present, and future of programmable networks. IEEE Commun Surv Tut, 2014, 16: 1617–1634

    Article  Google Scholar 

  2. 2

    Kreutz D, Ramos F, Verissimo P, et al. Software-defined networking: a comprehensive survey. Proc IEEE, 2015, 103: 14–76

    Article  Google Scholar 

  3. 3

    Kreutz D, Ramos F, Verissimo P. Towards secure and dependable software-defined networks. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, Hong Kong, 2013. 55–60

    Google Scholar 

  4. 4

    Shin S, Gu G F. Attacking software-defined networks: a first feasibility study. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, Hong Kong, 2013. 165–166

    Google Scholar 

  5. 5

    Kandoi R, Antikainen M. Denial-of-service attacks in OpenFlow SDN networks. In: Proceedings of IFIP/IEEE the 1st International Workshop on Security for Emerging Distributed Network Technologies (DISSECT), Ottawa, 2015. 1323–1326

    Google Scholar 

  6. 6

    McKeown N, Anderson T, Balakrishnan H, et al. OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comp Commun Rev, 2008, 38: 69–74

    Article  Google Scholar 

  7. 7

    Yan Q, Yu F R, Gong Q, et al. Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun Surv Tut, 2016, 18: 602–622

    Article  Google Scholar 

  8. 8

    Shin S, Yegneswaran V, Porras P, et al. Avant-guard: scalable and vigilant switch flow management in softwaredefined networks. In: Proceedings of ACM SIGSAC Conference on Computer & Communications Security, Berlin, 2013. 413–424

    Google Scholar 

  9. 9

    Wang H P, Xu L, Gu G F. FloodGuard: a DoS attack prevention extension in software-defined networks. In: Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2015

    Google Scholar 

  10. 10

    Giotis K, Argyropoulos C, Androulidakis G, et al. Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput Netw, 2014, 62: 122–136

    Article  Google Scholar 

  11. 11

    Mousavi S M, St-Hilaire M. Early detection of DDoS attacks against SDN controllers. In: Proceedings of 2015 International Conference on Computing, Networking and Communications, Garden Grove, 2015. 77–81

    Google Scholar 

  12. 12

    Braga R, Mota E, Passito A. Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: Proceedings of the 35th Annual IEEE Conference on Local Computer Networks, Denver, 2010. 408–415

    Google Scholar 

  13. 13

    Yao L Y, Dong P, Zhang H K. Distributed denial of service attack detection based on object character in software defined network. Chin J Electron Inform Tech, 2017, 39: 381–388

    Google Scholar 

  14. 14

    Porras P, Shin S, Yegneswaran V, et al. A security enforcement kernel for OpenFlow networks. In: Proceedings of SIGGCOMM 1st Workshop on HotSDN. New York: ACM, 2012. 121–126

    Google Scholar 

  15. 15

    Shin S, Porras P, Yegneswaran V, et al. Fresco: modular composable security services for software-defined networks. In: Proceedings of NDSS, 2013. 1–15

    Google Scholar 

  16. 16

    Yao G, Bi J, Xiao P Y. Source address validation solution with openflow nox architecture. In: Proceedings of the 19th IEEE International Conference on Network Protocols, Vancouver, 2011. 7–12

    Google Scholar 

  17. 17

    Fayaz S K, Tobioka Y, Sekar V, et al. Bohatei: flexible and elastic DDoS defense. In: Proceedings of the 24th USENIX Conference on Security Symposium, Washington, 2015. 817–832

    Google Scholar 

  18. 18

    Mirkovic J, Reiher P. A taxonomy of DDoS attack and DDoS defense mechanisms. Comput Commun Rev, 2004, 34: 39–53

    Article  Google Scholar 

  19. 19

    Zargar S T, Joshi J, Tipper D. A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun Surv Tut, 2013, 15: 2046–2069

    Article  Google Scholar 

  20. 20

    Huang Y, Geng X J, Whinston A B. Defeating DDoS attacks by fixing the incentive chain. ACM Trans Inter Tech, 2007, 7: 5

    Article  Google Scholar 

  21. 21

    Thom R. Structure stability, catastrophe theory, and applied mathematics. SIAM Rev, 1977, 19: 189–201

    MathSciNet  Article  MATH  Google Scholar 

  22. 22

    Stamovlasis D. Catastrophe theory: methodology, epistemology, and applications in learning science. In: Complex Dynamical Systems in Education. Berlin: Springer, 2016. 141–175

    Google Scholar 

  23. 23

    Guo R, Yin H, Wang D, et al. Research on the active DDoS filtering algorithm based on IP flow. In: Proceedings of IEEE 5th International Conference on Natural Computation, 2009. 628–632

    Google Scholar 

  24. 24

    Gude N, Koponen T, Pettit J, et al. NOX: towards an operating system for networks. Comput Commun Rev, 2008, 38: 105–110

    Article  Google Scholar 

  25. 25

    Rauber A, Merkl D, Dittenbach M. The growing hierarchical self-organizing map: exploratory analysis of highdimensional data. IEEE Trans Neural Netw, 2002, 13: 1331–1341

    Article  MATH  Google Scholar 

  26. 26

    Ashraf J, Latif S. Handling intrusion and DDoS attacks in software defined networks using machine learning techniques. In: Proceedings of IEEE 2014 National Software Engineering Conference (NSEC), Event-Karachi, 2014. 55–60

    Google Scholar 

Download references


This work was supported by National Natural Science Foundation of China (Grant Nos. 61402525, 61402526, 61502528), Key Scientific Research Projects of Henan Province Education Department (Grant No. 18A520004), and Henan Province Science and Technology Projects (Grant No. 182102310925). We also thank Zhong HUA for interesting and helpful discussion on the ideas presented here.

Author information



Corresponding author

Correspondence to Yi Guo.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Guo, Y., Miao, F., Zhang, L. et al. CATH: an effective method for detecting denial-of-service attacks in software defined networks. Sci. China Inf. Sci. 62, 32106 (2019).

Download citation


  • DoS attacks
  • software defined network
  • flow features
  • cusp model
  • equilibrium surface