Applying Dynamic Threshold in SDN to Detect

DDoS Attacks
Do Van Nhat, Luong Duc Huy, Can Quang Truong, Bui Trung Ninh, Dinh Thi Thai Mai
Faculty of Electronics and Telecommunications
University of Engineering and Technology, Vietnam National University
Ha Noi, Viet Nam
Email: {18020974, 18020647, 19021527, ninhbt, dttmai}@vnu.edu.vn

Abstract—Abstract—In this research, we will provide a brief

overview of the SDN architecture and how DDoS can drain a
controller’s resources. We will then introduce a method to detect
the attack based on using statistical analysis with a dynamic
threshold value that changes over time, depending on the traffic
over a network. Survey and simulation results show that our
solution is completely feasible to quickly detect DDoS attacks as
well as help improve reliability when compared to other methods
using static threshold values.
Index Terms—SDN, DDoS attack, network security, entropy,
dynamic threshold, statistical analysis method.

I. I NTRODUCTION
A. Introduction
Today, with the continuous development of network tech-
nology, the explosion of mobile devices, as well as the demand
for network services, is increasing rapidly. Software-Defined
Fig. 1. SDN Architecture.
Networking (SDN) is a promising network architecture that
can overcome the limitations of traditional networks. The SDN
architecture consists of 3 distinct layers: Application layer, the switch. They then used the SVM algorithm to support the
Control layer, and Infrastructure layer [1]. flow assessment, which helps accurately detect DDoS attacks.
The Application layer includes all applications and func- Experimental results showed that the average accuracy rate of
tions for the network system. It will connect to the Control the method was 95.24% with only a small amount of flow
layer through APIs (Application Programming Interfaces) that collected.
allow the application layer to reprogram the network. SDN
Another machine learning method in [11], the authors
controller in the control layer acts as a network operator. It will
identify a new type DDoS attack in SDN environment, which
be the control of the network configuration. SDN controllers
is harder to be detected. They then propose a novel real-
determine the data flow that will pass through the lower data
time DDoS detection scheme for SDN environment, by using
layer, including routing and accessing jobs to the network.
Principal Component Analysis (PCA) scheme to analyze the
The infrastructure layer consists of network equipments that
network status on traffic packets data. They separate the
perform packet forwarding under the control of the Control
network into different parts, to reduce the total calculation
layer. The centralized processing of packets at the controller
burden. Then, the residual vector value is calculated in real-
is also a disadvantage when the network can be vulnerable
time. If this value is less than a threshold in a certain time
to attacks such as DDoS. In a DDoS attack, a very large
interval, the DDoS will be detected.
number of packets with fake source addresses were sent to the
With improved Principal Component Analysis (PCA) tech-
controller. This will cause the network to stall due to a lack
nique method in [12], the authors propose this method with
of resources and make it inoperable. As a result, legitimate
weighted principal components to counter this attack. The
traffic from ordinary users will not be able to reach the server.
entire network is partitioned into different subnets and the
The most effective method of protection against these attacks
improved PCA technique is applied to each part independently.
is to detect the DDoS attack at an early stage.
The proposed method helped counter the DDoS attacks tar-
B. Related Works geted at the controller or the switch with 95.24% accuracy.
On the same topic, the authors in [2] proposed a method In [3], a simpler method exploited to detect DDoS attacks
for detecting DDoS attacks based on extracting six charac- is based on the entropy values of the source address and
teristic values from traffic in the flow table collected from the destination of the flow observed by the SDN controller.
These values will then be compared to the present threshold.
In addition, the article also provides a module to minimize the
attacks that have been detected.
Another method of detecting DDoS attacks is proposed
in [4]. This article proposes a mechanism that uses four
modules: triggering attack detection, attack detection, tracking
attacks, and minimizing attacks. This will help reduce the
workload of the controller and switch, in which the neural
network algorithm is applied. A combination of classification
and entropy-based algorithms is also presented. The test results
showed that the proposed mechanism could quickly detect the
attack in less than a second and could accurately trace the
source of the attack.
The authors in [5] also used entropy to detect DDoS attacks.
The entropy value will be calculated and compared to a
predetermined threshold level. If the entropy value is less
than the predetermined threshold, it indicates that there is a
possibility of an attack. If an attack is not detected, the entropy
threshold will be updated to the currently calculated entropy
to prevent further false analysis. This allows the detection
algorithm to dynamically adjust to the nature of traffic flow.
However, the use of this predetermined threshold will also
encounter some limitations, this static threshold value depends
on past attack data, so it reduces the flexibility in determining
the threshold for detecting new attacks.
In this study, we found that calculating a fixed entropy
value with a certain window value still has many limitations.
The actual entropy value depends on the topology structure of
the network. Therefore, the use of fixed entropy values will
reduce flexibility as well as not be suitable for different service
providers. In addition, for a small window size, the probability
of the appearance of an IP address differs greatly from other
values will fluctuate the entropy value even greater, leading to
a discrepancy in determining the time of a DDoS attack. In this
article, we look at the method of adjusting dynamic thresholds
that change over time based on the variability of entropy
value of each window. Based on this dynamic threshold value
and comparing it to the current entropy value, we can make
predictions about the state of the system.
This article is presented as follows: In part II, we will
present an overview of the proposed method; Part III will
evaluate the system’s performance and provide simulation
results. Finally, our conclusions as well as the orientation of
the future work are featured in Part IV.
II. SYSTEM MODEL
In this section, we will present the definition and formula
that calculates the entropy value. After that, we assess the
status of the traffic using the target IP address in the incoming
packet header, which is collected by the central controller. If
the randomness is higher, i.e, packets are sent to randomly
different destination addresses without an unexpected increase
to a single address, which will keep the entropy value at a
normal threshold.
Consider a window of N IP addresses, described by a set
W with n elements (n ≤ N ) that are the number of different
destination IP addresses in the incoming packet headers:
W = {x1 , x2 , x3 , ..., xn } (1)
Then, the entropy value is calculated according to the
following formula:
n
X
H=− pi log (pi ) (2)
i=1
The probability of an IP address in W is:
pi = xi /N (3)
Where, xi is the number of IP addresses x in W with N
being the size (the total IP address) of the W . Therefore, N
will represent the size of a window.
In (2), if H gets smaller and moves towards zero, it indicates
that there is an abnormal event going on throughout the
system, and the probability of a DDoS attack is very high. In
contrast, packets are sent to multiple destinations with almost
equal frequency, no destination receives far more packets than
other destinations, which means that H will be in an optimal
average approximation state. At this point, the probability of
having a DDoS attack is very low.
In [6], to detect a DDoS attack, a static test threshold is
selected based on the execution of several attacks.
Fig. 2. System simulation model.
σ
Conf idenceInterval = X ± Z. √ (4)
N
In (4), X is the sample mean, the rest is called the margin of
error: Z is a confidence coefficient, σ is the sample standard
deviation and N is the sample size. The selected confidence
level is 95% (Z=1.9599).
Initially, we will look for the difference ∆ = Hnmin −
Hamax , in which Hnmin is equivalent to normal average traffic
minus the reliability interval and Hamax is the average entropy
value when there is an attack plus a confidence interval.
Finally, the static threshold is determined as Hnmax − ∆. This
static threshold is fixed and any entropy value lower than this
static threshold will be considered to have an ongoing attack
[6].
 However, this static threshold value depends on past attack The initialization and sending of packets were carried out
data, so it reduces flexibility in determining the threshold for by Scapy [9]. Scapy is used to create UDP packets and fake
detecting new attacks. In this study, the threshold that we their source IP addresses to perform attack flow and normal
considered will not be fixed but changes continuously over traffic in the simulation system. The IP addresses of the hosts
time based on changing the entropy value of incoming traffic. in the model are assigned to increase gradually, starting from
Entropy values, once calculated, will be stored in the window. 10.0.0.1.
Based on the parameters stored from these windows, we
will calculate the average entropy value Ht and the standard A. Phase 1: The system is in Normal State
deviation σt . The first test is conducted when the system is in a normal
t state (Phase 1). We use a host to initiate traffic and send them
1 X
to the system. Packet delivery speed is 0.1 second per packet
Ht = Hi (5)
t i=1 with a destination port of 80 and a source port of 2. In one run,
t a total of 500 packets will be sent, equivalent to 10 windows.
1X In our method, the immediate entropy in a window of
σt = (Hi − Ht )2 (6)
t i=1 50 packets is calculated according to formulas (2) and (3).
Average Entropy and Standard Deviation are calculated using
Hi in (6) is the entropy value in different time periods
formulas (5) and (6), respectively. Finally, the dynamic entropy
calculated based on the formula (2) as we have defined. Based
threshold is computed according to formula (7), using the
on the parameters calculated above, we consider a dynamic
values given above.
threshold value Tdynamic the formula defined as follows:
For example, with 50 identical destination IP addresses, the
Tdynamic = Ht + Cd .σt (7) immediate entropy value is at least 0. This value peaks at
approximately 1.7 when 50 different IP addresses are present
In (7), Ht and σt are the average entropy value and standard in a window.
deviation at the time of t, respectively. According to the normal Fig. 3 shows the statistics in a window that the POX
distribution, 95% of entropy values will be in the range Ht ± controller collected during testing. It is easy to see that
2σHt . These values that are smaller than Ht − 2σHt will not packets are sent to many different destinations addresses in the
affect the outcome of the problem much, so we can rely on network. So, the randomness will increase which means that
that basis to select Cd for this system. In [7], Cd is a constant the entropy value at that time also increases. The immediate
value and based on experiments -2. entropy value in the window is 1.5214, while the value of the
calculated dynamic threshold is 1.3894. Since the immediate
III. SIMULATION AND RESULTS
entropy value is greater than the dynamic entropy threshold
Our implementation was run on an MSI computer, running value, the system can conclude that it is in a normal state and
Intel® Core™ i5 - 9300H processor, clocks of 2.4 GHz - 4.1 that no attack has yet reached the system.
GHz, which comes with 16 GB of DDR4 RAM 2666 MHz.
The operating system used is Ubuntu 20.04. For simulation
purposes, we select Mininet [8] as a network emulator with a
POX controller. POX is an improved version of NOX, which
uses the Python language. The use of POX controllers is
simpler and more efficient when setting up testing for entropy-
based attack detection algorithms. By using Mininet, we can
create an attack on a virtual server and analyze the results of
our DDoS attack detection algorithm. We simulated a DDoS
attack with 64 hosts and 9 Open vSwitches, including 1 core
switch and 8 access switches, each connected to 8 hosts.
In order to make the POX controller able to control com-
munication in the network, we revise the l3 learning module
[10]. This module provides learning capabilities in layer 3 Fig. 3. The normal state of the system.
by storing information about network accessibility between
nodes into a list. When a new packet arrives, l3 learning
will process and extract the port address and MAC address. B. Phase 2: The system is in a State of Attack
From this information, it will check in the list, if there is
The attack scenario in Phase 2 was selected in relation to 3
no path, this module will use the ARP protocol to initiate
cases with different attack intensities on the system, 25%, 50%
the request. In addition, we edited integrated algorithms that
and 75%, respectively. The rate of an attack is determined by:
make it possible for the POX controller to calculate entropy
values and parameters needed to detect attacks when there is Ia
an unusual change in incoming traffic. Rattackrate = 1 − .100% (8)
In + Ia
 In (8), Ia and In sequentially are the period of time of
attack traffic and normal traffic. Normal traffic is run on all
switches with randomly generated packets going to all host.
Attack traffic is run from one host to host randomly chose.
In the system, normal traffic is randomly relayed to all hosts,
while attack traffic is only targeted to one host.
First, we attack at a rate of 25% on a host on 10 times. This
threshold is the lowest entropy in all cases, so it will allow
the controller to detect any attack with packets accounting for
25% of incoming traffic or more.
TABLE I
STATISTICS BETWEEN ATTACK SCENARIOS.
value of 1.0897, smaller than the dynamic threshold value of
1.2517. As a result, the POX controller issued a warning that
the system was under attack, then it blocked the port of the
switch to which the packet was sent.
Fig. 5 is the result of a 25% attack on a host. The chart is
the result of 10 runs with 500 packets per test. Each point on
the horizontal diagram axis shows the interval and the vertical
axis displays the entropy value for that period. In the chart,
the blue line shows the transition from regular traffic to attack
and return to normal traffic. The red and yellow lines indicate
the average and the variable volatility threshold value during
the attack.

Normal 25% 50% 75%

traffic attack attack attack
Average entropy 1.4381 1.2112 1.1186 0.9231
Standard deviation 0.0158 0.0034 0.0113 0.0484
Margin of error ± 0.0098 ± 0.0021 ± 0.0070 ± 0.0299
Max confidence intvl 1.4479 1.2133 1.1256 0.9530
Min confidence intvl 1.4283 1.2091 1.1116 0.8932
Min normal traffic -
0.2150 0.3027 0.4753
Max attack traffic
Rate drop of entropy 15.06% 21.19% 33.28%

Table I gives the statistical data that we have collected

with different attack traffic, from which we can compare their
entropy values. To get these values, example with 25% attack,
Fig. 5. The attack rate of 25%.
we take the following steps:
1) Calculate the lowest entropy value that normal traffic To look at more focused attacks, two higher-rate tests were
can achieve. This is equal to the average value of normal launched on a host. Fig. 6 and Fig. 7 shows the attacks with
traffic minus the margin of error, obtaining 1.4283. a 50% and 75% attacking rate on a host, respectively. Both
2) Calculate the highest entropy value that attack traffic simulations more clearly show the differences in entropy in
can achieve. This is equal to the average value of attack both conditions.
traffic plus the margin of error, obtaining 1.2133.
3) Find the difference of two values, obtaining 0.215, we
have a drop of 15.06%.
Calculated dynamic threshold values will be constantly
compared to instant entropy values in a window. In Fig. 4,
when the attack rate was 25%, the controller had detected
abnormalities in incoming traffic

Fig. 6. The attack rate of 50%.

Fig. 4. Detected a DDoS attack (25% of attack rate). In the attacks, the rate of 50% and 75% is almost the same
shape as illustrated in Fig. 7 but the depth of the attack entropy,
In the Fig. 4, the immediate entropy value in an attack has as well as the slope of the threshold and average level, will
a significant decrease compared to that in normal traffic. This be steeper than the attack at the rate of 25%. As the speed of
 TABLE II
EVALUATION METRICS OF DYNAMIC THRESHOLD IN DDOS
ATTACK DETECTION

TP FP Alarm Rate Precision Accuracy

Cd
(%) (%) (%) (%) (%)
1 100 75.25 87.63 57.06 62.38
-0.2 100 22.77 61.39 81.45 88.62
-2 100 2.97 51.49 97.12 98.52

another host. In Table II, True Positive (TP) means true attacks
occur that are successfully detected by the system and False
Positive (FP) informs no attack occurs in fact, but the system is
incorrectly classified as in an alarm state. As we can apparently
see, the closer the Cd value is to -2, the better results obtained.
The TP, FP metrics in the case with Cd = -2 is the best, leading
to precision and accuracy is also highest. The high precision
value accompanies with the high accuracy value indicating
Fig. 7. The attack rate of 75%. that the measurements are close to each other and close to
the target value. This means that the method used is good and
reliable. Finally, this Cd value shows the best performance for
attack increases and the number of attack packets generated reliable DDoS attack detection. With higher attack intensity
is fixed, the percentage of attack packets in the window will cases, the results are the same.
increase. This will result in a deeper and narrower attack chart.
C. Evaluation Metrics
The speed of attack and the volume of attack messages
generate different attack rates. If the high rate of attack is
chosen, the response time would increase, and the attack
detection would be delayed as well. In Fig. 8, the response
time of 75% attack rate is the lowest and the one of 25% is
the highest. Of course, as we mentioned, the response time is
also dependent on the window size. The bigger the window
size, the longer the response time and vice versa. We continue
to use the optimal window size that comprises 50 packets for
our evaluation.

Fig. 9. Precision and Accuracy with different Cd values.

D. Comparing with static threshold entropy value method

Fig. 8. Average response time with different attack rates.
In this study, the parameter Cd in (7) is chosen between -2
and 2 and it will affect the evaluation results of the system. We
take some statistical parameters below to evaluate the impact
of Cd selection on the reliability and accuracy of the proposed
algorithm.
We built three test scenarios with Cd values equal to 1, -0.2,
and -2, respectively. With each of them, we will process about
101 trials, the normal traffic will come from two different
hosts and malicious traffic with an attack rate of 50% from
Fig. 10 illustrates response time of static entropy and
dynamic entropy method. As illustrated in the figure, when
comparing with response time of dynamic threshold method,
we found that static threshold method takes more time to detect
than the dynamic one because the five continous windows
is needed to detect DDoS attack, this will cause a certain
timeout. Besides, static threshold value leads to low flexibil-
ity. Whereas, with flexible dynamic threshold over time, the
system’s responsiveness will be faster.
Fig. 11 illustrates the accuracy and precision of static
entropy and dynamic entropy. It shows that the proposed
method is quite more accurate and precise than the anther one.
With the static threshold entropy, the correct result is 98.02%,
Fig. 10. Average response time with different attack rates of different
methods.
TABLE III
EVALUATION METRICS OF STATIC THRESHOLD IN DDOS
ATTACK DETECTION WITH 50% ATTACK.
TP FN FP TN Alarm Rate Precision Accuracy
(%) (%) (%) (%) (%) (%) (%)
96.04 3.96 0 100 100 100 98.02
which is quite close to the proposed method. But the FP value,
in table III, is 0%. The explanation for the FP parameter we
suppose that as follows:
1) Since the threshold is a constant value which lead to the
ability to adapt to the traffic flow is not available.
2) The normal traffic is highly random, so the entropy value
is always distributed at a highly stable level.
The above two reasons lead to calculated entropy values in
normal scenario can not less than static threshold value. As a
result, the FP value is 0% which dedicates that the detection
false ability of static threshold method is better than the other.
IV. CONCLUSIONS
Software-Defined Network is a potential type of network
architecture that is gradually gaining popularity, offering hope
of replacing the current traditional network model, providing
flexibility for network configuration through centralized SDN
controllers. To improve security, we have reviewed a DDoS
attack detection system based on the calculation of entropy
values and dynamic threshold determination. According to the
test results, it can be seen that the proposed method is flexible,
reliable and capable of rapid detection of DDoS attacks. This
paper quantifies early detection for the first 250 packets within
40 seconds, which suggests that this proposed method can
detect DDoS attacks at an early stage even if the system
receives only a small amount of packets.
In the future, we will continue to make changes to improve
the performance of the entire system. Improvements can come
from the use of more professional and practical datasets for
testing. The application of machine learning to algorithms is
also a very powerful tool to help improve accuracy in the
ability to prevent complex attacks. In addition, combining load
balancing strategies to distribute malicious traffic is also a
good way to mitigate damages subjected to DDoS attacks.
Fig. 11. Precision and Accuracy with different methods, Cd = -2 for dynamic
threshold.
R EFERENCES
[1] SDX Central, “Understanding the SDN Architecture”, [Online]. Avail-
able: https://www.sdxcentral.com/resources/sdn/inside-sdn-architecture/.
[Accessed Feb., 2022].
[2] Ye J, Cheng X, Zhu J, Feng L, Song L, “A DDoS attack detection
method based on SVM in software defined network”, Security and
Communication Networks, 2018.
[3] Jawad Dalou, Basheer Al-Duwairi, Mohammad Al-Jarrah, “Adaptive
entropy-based detection and mitigation of ddos attacks in software
defined networks”, International Journal of Computing, 2020, pp. 399-
410.
[4] Cui Y, Yan L, Li S, Xing H, Pan W, Zhu J, Zheng X, “SD-Anti-DDoS:
fast and efficient DDoS defense in software-defined networks”, J. Netw.
Comput. Appl, 2016, pp. 65–79.
[5] Tamer Omar, Anthony Ho, Brian Urbina, ”Detection of DDoS in
SDN Environment Using Entropy-based Detection”, IEEE International
Symposium on Technologies for Homeland Security (HST), 2019, pp.
1-4.
[6] T. Nakashima, T. Sueyoshi, S. Oshima, ”Early DoS/DDoS Detection
Method using Short-term Statistics”, in International Conference on
Complex, Intelligent and Software Intensive Systems, 2010, pp. 168-
173.
[7] Guo-Chih Hong, Chung-Nan Lee, Ming-Feng Lee, 2019, “Dynamic
Threshold for DDoS Mitigation in SDN Environment”, 2019 Asia-
Pacific Signal and Information Processing Association Annual Summit
and Conference (APSIPA ASC), Lanzhou, China, 2019, pp. 1-7.
[8] Mininet. [Online]. Available: http://mininet.org/. [Accessed Feb., 2022].
[9] Scapy. [Online]. Available: https://scapy.net/. [Accessed Feb., 2022].
[10] GitHub, POX Controller. [Online]. Available:
https://noxrepo.github.io/pox-doc/html/. [Accessed Feb., 2022].
[11] D. Wu, J. Li, S. K. Das, J. Wu, Y. Ji and Z. Li, ”A Novel Distributed
Denial-of-Service Attack Detection Scheme for Software Defined Net-
working Environments,” 2018 IEEE International Conference on Com-
munications (ICC), 2018, pp. 1-6.
[12] S. Salaria, S. Arora, N. Goyal, P. Goyal and S. Sharma, ”Implementation
and Analysis of an Improved PCA technique for DDoS Detection,” 2020
IEEE 5th International Conference on Computing Communication and
Automation (ICCCA), 2020, pp. 280-285.