An Innovative Framework To Detect And Mitigate High and Low-rate DDoS Attack And IP/MAC Spoofing DDoS Attacks In SDN Using Renyi Entropy.

SafayatJamilSiam1

Mohd. RashidiChe Beson1✉Emailrashidibeson@unimap.edu.my

Ku NurulKuFazira Ku Azir1

MdMarufHassan2

1Centre of Excellence for Advanced Computing, Faculty of Intelligent ComputingUniversiti Malaysia Perlis (UniMAP)02600ArauPerlisMalaysia

Department of Computer Science and EngineeringSoutheast University262 Tejgone I/A, Dhaka1208Bangladesh

Safayat Jamil Siam^a, Mohd. Rashidi Che Beson^{a, *}, Ku Nurul Fazira Ku Azir^a, Md Maruf Hassan^b

^aCentre of Excellence for Advanced Computing, Faculty of Intelligent Computing, Universiti Malaysia Perlis (UniMAP), Arau, 02600, Perlis, Malaysia

^bDepartment of Computer Science and Engineering, Southeast University, 262 Tejgone I/A, Dhaka, 1208, Bangladesh

*Corresponding author: rashidibeson@unimap.edu.my

Abstract

The centralized nature of Software-Defined Networking (SDN) offers flexibility but makes the controller highly vulnerable to Distributed Denial-of-Service (DDoS) attacks. This paper proposes a Rényi entropy–based detection and mitigation framework that addresses high-rate flooding, low-rate stealthy attacks, and IP/MAC spoofing threats in SDN. Unlike Shannon entropy, Rényi entropy provides adjustable sensitivity through its tunable parameter, enabling more accurate identification of abnormal traffic distributions. The framework simultaneously monitors five traffic attributes—source IP, source MAC, protocol type, packet size, and packet inter-arrival time—while dynamically updating entropy thresholds from historical values to adapt with changing traffic conditions. Spoofing detection is enhanced by identifying mismatches between IP and MAC entropies. Experimental validation in a Mininet-WiFi testbed with a Ryu controller shows that the framework consistently detects diverse attack types with ~ 80% accuracy, low false positives, and minimal computational overhead. The system uses few resources, keeping CPU use between 0.0% and 2.5%, and it detects and responds to different kinds of threats in less than 2.5 seconds.

Keywords:

SDN

DDoS attack

Renyi entropy

Low-rate DDoS attack

IP/MAC spoofing attack

Introduction

The rapid expansion of networked devices, cloud services, and latency-sensitive applications has increased the demand for networking solutions that are adaptable, programmable, and easy to manage. Conventional networks, in which control and forwarding logic coexist within the same hardware elements, are often inflexible in the everchanging network environment and require manual configuration. Their reliance on proprietary hardware and lack of centralized oversight makes them poorly suited to the operational complexity of modern infrastructures [1], [2], [3], [4].

Software-Defined Networking (SDN) has emerged as a paradigm that overcomes these limitations by decoupling the control plane from the data plane [5], [6], [7]. In an SDN deployment, the centralized controller manages flow decisions, security policies, and routing strategies, while the underlying switches and routers simply execute those instructions. The architecture typically comprises three planes: the application plane, with hosts management system and orchestration tools; the control plane, where the SDN controller operates; and the data plane, consisting of forwarding devices such as OpenFlow-enabled switches. Northbound APIs connect the controller to applications, whereas southbound protocols like OpenFlow facilitate communication between the controller and network devices [8], [9], [10].

While centralization offers better visibility and flexibility, it also introduces critical security challenges. The SDN controller, as the network’s decision-making hub, is particularly vulnerable to Distributed Denial-of-Service (DDoS) attacks [11], [12], [13], [14], [15]. During such an attack, adversaries can generate streams of packets with spoofed source and destination information, ensuring they miss existing flow entries in the switches. This forces the switches to send a surge of packet via Packet-In messages to the controller for necessary instructions. In this situation, the controller has to process a huge amount of packet within a limited time frame and the resulting processing overhead can lead to increased latency, CPU and memory exhaustion, and even controller failure, leaving the network without timely forwarding decisions. Ultimately, this may cause packet loss, service outages, and degraded overall performance [16], [17], [18].

In SDN environments, DDoS attacks can manifest in several forms:

Protocol-based flooding attacks

High-rate flooding of TCP SYN, UDP, or ICMP packets aimed at exhausting control-plane resources and overwhelming switch–controller communication. These attacks generate large volumes of traffic to rapidly degrade network performance [19], [20].

IP spoofing–based DDoS attacks

Attackers disguise malicious traffic by impersonating legitimate IP addresses within the network. When multiple spoofed MAC addresses are associated with the same IP, traditional IP-based detection becomes unreliable, making it difficult to distinguish between legitimate and fake sources [21], [22].

Low-rate (stealthy) DDoS attacks

Instead of overwhelming the network with high-volume traffic, adversaries send small bursts of packets at precisely timed intervals. This creates minimal bandwidth spikes, often evading traditional threshold-based detectors, while still degrading service availability over time [23].

These attack variations demand a detection and mitigation approach that is capable of identifying both high-volume and low-rate anomalies, as well as uncovering hidden spoofing activity within the network.

To counter these threats, researchers have explored numerous detection strategies, including signature matching, anomaly detection[24], and machine learning [25], [26]. Although effective in certain contexts, many of these approaches demand substantial processing resources and struggle with real-time scalability. Entropy-based detection techniques have gained attention as a more lightweight alternative. By quantifying randomness in network traffic attributes—such as IP address diversity, protocol variation, packet size distribution, and temporal patterns [27], [28], [29], [30], [31]—these methods can spot abnormal shifts indicative of attacks. However, many existing entropy-based models rely on a single traffic feature, which makes them vulnerable to adversarial evasion. Attackers can deliberately target unmonitored attributes, such as spoofing MAC addresses or manipulating packet timing, to bypass detection.

In this work, we introduce a multi-parameter DDoS detection and mitigation framework that enhances traditional entropy-based strategies in two major ways. First, instead of Shannon entropy, the framework employs Rényi entropy with a configurable α parameter. This measure offers greater sensitivity to non-uniform distributions, enabling better detection of anomalies in skewed traffic patterns. Second, the system incorporates a spoofing-aware detection rule: if the entropy of source IP addresses differs from the entropy of source MAC addresses, the traffic is flagged as potentially spoofed. This dual-entropy check helps reveal IP spoofing and MAC address spoofing attacks that would otherwise blend into normal traffic patterns.

The proposed method evaluates five distinct traffic features in parallel—source IP addresses, packet inter-arrival times, protocol types, source MAC addresses, and packet sizes—making it effective against both high-rate protocol-based floods and stealthy low-rate DDoS attacks. The low-rate detection capability is achieved by monitoring the Rényi entropy of packet timing intervals, which uncovers repetitive burst patterns that evade volume-based thresholds. When an anomaly is detected, malicious flows are blocked via OpenFlow rules directly in the switches, and blocked hosts are automatically unblocked once normal behaviour resumes.

In summary, this study offers a lightweight, real-time, and spoofing-resilient DDoS defence mechanism for SDN environments. By combining multi-parameter entropy analysis, the sensitivity of Rényi entropy, and automated mitigation through OpenFlow, the framework delivers robust protection for the control plane without the computational overhead of complex machine learning models. The key contributions of this work are:

Introduction of Rényi entropy for DDoS detection in SDN

Unlike the previous works that used Shannon entropy, this work applies Rényi entropy with a tuneable

$\:\alpha\:$

parameter to enhance sensitivity to skewed traffic distributions. This allows for improved anomaly detection, especially in cases where malicious traffic exhibits subtle but non-uniform patterns.

Spoofing-aware detection via IP–MAC entropy mismatch

A new detection rule flags traffic as suspicious when the entropy of source IP addresses differs from the entropy of source MAC addresses, enabling effective identification of IP spoofing and MAC spoofing attacks that bypass single-attribute monitoring.

Multi-attribute traffic analysis for comprehensive detection

The framework simultaneously evaluates five network traffic features, Source IP addresses, Packet inter-arrival times, Protocol type distribution, Source MAC addresses, Packet size distribution This holistic approach improves detection accuracy and lowers the false positive rate compared to single-feature methods.

Low-Rate DDoS attack detection through time based entropy analysis

By monitoring Rényi entropy of packet arrival time intervals, the system effectively detects stealthy low-rate (pulsing) DDoS attacks that avoid detection by traditional volume-based methods.

Real-Time automated mitigation in SDN

Upon detection, malicious hosts are automatically blocked at the switch level using OpenFlow rules. Blocked hosts are dynamically unblocked once their traffic patterns return to normal, ensuring adaptive defence without permanent disruption of legitimate users.

2. Methodology

The proposed framework leverages the programmability and centralized monitoring capabilities of SDN to detect and mitigate various types of DDoS attacks, including high-rate protocol flooding, IP/MAC spoofing, and low-rate stealthy attacks. The detection process is based on calculating the Rényi entropy of multiple traffic parameters within a defined time window, providing a more adaptable and tuneable sensitivity compared to Shannon entropy. The whole arcitechture of the framework is showed in Fig. 1:

Fig. 1

The proposed renyi entropy-based DDoS detection and mitigation framework.

2.1 Data acquisition and pre-processing

The detection process begins with the continuous collection of packet-level metadata from the network’s OpenFlow-enabled switches. These switches are programmed, via the controller, to forward relevant packet headers for analysis through packet-in message without introducing significant forwarding delays. Only essential fields from each packet are extracted to minimize overhead while retaining the key features required for entropy computation.

For every packet observed during the monitoring period, the following attributes are recorded as shown in Table 1:

Table 1
Entropy of different network traffic attributes and their applications
Network traffic attributes	Description
Source IP address (E1)	Captures the distribution of originating hosts in the network.
Protocol type (E2)	Indicates whether the packet belongs to TCP, UDP, or ICMP traffic, contributing to protocol diversity analysis.
Packet size (E3)	Provides insights into traffic uniformity, as many flooding attacks produce packets of identical length.
Packet arrival time (E4)	Used to compute the intervals between consecutive packets, enabling the detection of temporally structured low-rate attacks.
Source MAC address (E5)	Identifies the actual hardware origin of traffic and supports the detection of IP/MAC spoofing attempts.

All captured traffic attributes are stored in time-stamped data structures. To ensure that only the most recent traffic is considered during entropy computation, a sliding time window is applied. Entries older than the configured monitoring period are automatically discarded, preventing outdated or irrelevant data from affecting detection accuracy.

This pre-processing step produces clean, protocol-organized datasets that are ready for entropy calculation, spoofing analysis, and threshold comparison in subsequent stages of the framework.

2.2 Rényi entropy for anomaly detection

The framework employs Rényi entropy as the primary metric for quantifying uncertainty in network traffic patterns. Rényi entropy, introduced by Alfréd Rényi in 1961, is a generalized form of Shannon entropy that introduces a tuneable parameter 𝛼 (also known as the order of the entropy). This parameter allows the measure to place more or less emphasis on high-probability events, providing a flexible means of analysing diverse traffic distributions.

The Rényi entropy of order 𝛼 for a discrete probability distribution

$\:P=\{{p}_{1},\:{p}_{2},\dots\:,{p}_{n}\}$

is defined as:

$\:{H}_{\alpha\:}\left(X\right)=\:\frac{1}{1-\alpha\:}{{log}}_{2}\left(\sum\:_{i=1}^{n}{p\left({x}_{i}\right)}^{\alpha\:}\right),\:\alpha\:>0,\:\alpha\:\ne\:1$

Where:

$\:{H}_{\alpha\:}\left(X\right)$

is the Rényi entropy for dataset X.

$\:{p(x}_{i})$

is the probability of the

$\:{i}^{th}$

unique element in the dataset (e.g., a particular source IP address, MAC address, or packet size occurrence in the traffic window). 𝑛 is the number of unique elements. α controls the sensitivity of the entropy measure, When 𝛼→1, Rényi entropy converges to Shannon entropy. Higher 𝛼 values give more weight to high-frequency events. On the other hand, Lower 𝛼 values increase sensitivity to rare events.

Advantages of Rényi entropy over Shannon entropy:

Adjustable sensitivity

Shannon entropy treats all events proportionally to their probability, which can dilute the impact of dominant patterns in heavily skewed traffic. Rényi entropy allows fine-tuning via 𝛼, making it possible to prioritize frequent patterns (helpful in detecting high-volume DDoS floods) or rare anomalies (beneficial for identifying stealthy, low-rate attacks).

Enhanced detection of skewed distributions

In DDoS scenarios, certain features—such as source IP or MAC—often show extreme concentration. With a suitable 𝛼>1, Rényi entropy becomes more responsive to such dominance, detecting deviations earlier than Shannon entropy.

Greater robustness against noise

Network traffic naturally exhibits randomness. Shannon entropy may overreact to small fluctuations in legitimate traffic. By tuning 𝛼, Rényi entropy can suppress the effect of low-probability noise, reducing false positives.

Unified framework for multiple attack types

The flexibility of Rényi entropy allows the same metric to be optimized for high-rate protocol floods, IP/MAC spoofing, and low-rate timing attacks—all of which have different traffic distribution characteristics.

The renyi entropy for each selected network traffic attributes is calculated in the following ways:

E1 = Source IP address entropy

This measures the spread of traffic across different source IP addresses. A large

$\:{H}_{\alpha\:}$

indicates traffic is coming from many unique IPs (normal), while a small value implies dominance of a few source Ips in case of forwarding traffic — possibly from a DDoS attack or IP spoofing.

$\:{H}_{\alpha\:}\left(Source\:IP\right)=\:\frac{1}{1-\alpha\:}{log}_{2}(\sum\:_{i=1}^{n}p({{Src\_IP}_{i})}^{\alpha\:}$	(2)
where,

$\:p\left({Src\_IP}_{i}\right)=\frac{packets\:from\:{Src\_IP}_{i}}{total\:packets\:observed}$

E2 = Protocol Type Entropy

Evaluates the diversity of protocols (e.g., TCP, UDP, ICMP) in the network. If a single protocol becomes dominant,

$\:{H}_{\alpha\:}$

decreases — indicating a protocol-based flooding attack.

$\:{H}_{\alpha\:}\left(Protocol\right)=\:\frac{1}{1-\alpha\:}{log}_{2}(\sum\:_{i=1}^{n}p({{Protocol}_{i})}^{\alpha\:}$		(4)
Where,
$\:p\left({Protocol}_{i}\right)=\frac{packets\:of\:specific\:\:{protocol}_{i}}{total\:packets\:observed}$	(5)

E3 = Packet Size Entropy

Determines variation in packet sizes. Low

$\:{H}_{\alpha\:}$

means repeated identical packet sizes dominate — a common trait in DDoS floods that send uniform packets.

$\:{H}_{\alpha\:}\left(Packet\:size\right)=\:\frac{1}{1-\alpha\:}{log}_{2}(\sum\:_{i=1}^{n}p({{Pkt\_size}_{i})}^{\alpha\:}$	(6)
where

$\:p\left({Pkt\_size}_{i}\right)=\frac{\:specific\:packet\:\:{size}_{i}}{total\:packets\:observed}$

(7)

E4 = Packet Inter-Arrival Time Entropy

Captures the variability in time intervals between incoming packets. Low values of

$\:{H}_{\alpha\:}$

indicate regular and predictable arrival patterns — typical of low-rate (pulsing) DDoS attacks.

$\:{H}_{\alpha\:}\left(Inter\:arrival\:time\right)=\:\frac{1}{1-\alpha\:}{log}_{2}(\sum\:_{i=1}^{n}p({{Interval}_{i})}^{\alpha\:}$

where

$\:p\left({Interval}_{i}\right)=\frac{\:Occurance\:of\:\:{interval}_{i}}{total\:packets\:observed}$

E5: Source MAC Address Entropy: Reflects the diversity of source MAC addresses in network traffic. Low

$\:{H}_{\alpha\:}$

values mean that traffic is coming from a small set of MACs, suggesting MAC spoofing or a compromised internal host. Comparing E1 and E5 also reveals IP–MAC mismatches, useful for detecting spoofing-based attacks.

$\:{H}_{\alpha\:}\left(Source\:MAC\right)=\:\frac{1}{1-\alpha\:}{log}_{2}(\sum\:_{i=1}^{n}p({{Src\_MAC}_{i})}^{\alpha\:}$

where

$\:p\left({Src\_MAC}_{i}\right)=\frac{\:Packets\:from\:\:{Src\_MAC}_{i}}{total\:packets\:observed}$

Under normal network conditions, the diversity patterns of source IPs and source MACs should be correlated because, in a legitimate environment, a single host has a fixed MAC–IP pairing. For example, if three different IPs are active, we generally expect three distinct MAC addresses (except in virtualized or NAT environments, which are controlled and predictable).

However, during IP spoofing–based DDoS attacks or MAC spoofing attacks, this relationship breaks:

IP spoofing attack: A single MAC address sends traffic using multiple forged IP addresses. This increases E1 (IP entropy) while E5 (MAC entropy) remains low.

MAC spoofing attack: Multiple devices forge the MAC address for a legitimate IP to evade detection. In this case, E5 rises while E1 remains low.

Therefore,

$\:If\:E1\:\ne\:E5\:\to\:Potential\:IP/MAC\:spoofing\:attack$

This rule is applied without a predefined threshold for spoofing entropy. Instead, the mismatch itself is treated as an anomaly, as it violates the expected one-to-one mapping between source IP and source MAC in legitimate SDN traffic.

2.3 Dynamic entropy threshold adaptation and updating mechanism

In SDN-based DDoS detection, relying on static entropy thresholds can be problematic because traffic characteristics fluctuate over time due to changes in user activity, application usage, and network load. A fixed threshold may therefore either trigger unnecessary alerts or fail to detect certain attack patterns. To overcome this limitation, the proposed framework employs an adaptive threshold mechanism that continuously adjusts based on recent network behaviour.

Let the monitored entropy features be:

$\:\epsilon\:=\{{\epsilon\:}_{SrcIP},\:{\epsilon\:}_{protocol},\:{\epsilon\:}_{PktSize},\:{\epsilon\:}_{Time\:interval},\:{\epsilon\:}_{SrcMAC}\}$

Each entropy metric is computed over a predefined observation period (e.g., 60 seconds). The values obtained in successive intervals are stored in rolling historical datasets for each feature, enabling statistical threshold estimation.

For any given feature

$\:{\epsilon\:}_{f}$

the adaptive threshold

$\:{T}_{f}$

is computed from the most recent 𝑛 recorded entropy values:

$\:{T}_{f}=\:{\epsilon\:}_{f}-\:\lambda\:{\sigma\:}_{f}$

here

$\:{\epsilon\:}_{f}$

is the mean entropy value over the stored history.

$\:{\epsilon\:}_{f}=\:\frac{\sum\:_{i=1}^{n}{\epsilon\:}_{f}\left(i\right)}{n}$

$\:{\sigma\:}_{f}$

is the standard deviation of those historical values

$\:{\sigma\:}_{f}=\:\sqrt{\frac{\sum\:_{i=1}^{n}{({\epsilon\:}_{f}\left(i\right)-{\epsilon\:}_{f})}^{2}}{n}}$

$\:{\uplambda\:}$

is the sensitivity coefficient controlling how aggressively the system reacts to deviations. Higher values reduce false alarms but may delay detection, while lower values increase sensitivity at the risk of misclassifying normal fluctuations.

When the quantity of historical entropy data n falls below a specified minimum threshold (for instance, n < 3), it is not feasible to accurately compute the dynamic entropy threshold. In that case, between the maximum entropy seen during attack scenarios and the minimal entropy seen under typical circumstances, a default threshold can be established. Between these two values, the default threshold value can be found.

Detection logic

When the calculated entropy for a feature fall below its adaptive threshold, it is flagged as suspicious. The confidence of detection increases if multiple entropy features drop below their respective thresholds in the same interval.

Threshold update process

After each observation period, the newly computed entropy values are appended to their respective historical lists. These lists maintain a fixed maximum length (e.g., 20 records) using a First-In-First-Out (FIFO) update policy. This ensures that the thresholds always reflect recent traffic behaviour while preventing excessive memory usage.

2.4 Anomaly detection process

The framework operates by continuously inspecting live network traffic and applying a Renyi entropy–based analysis to detect irregularities in network traffic characteristics indicative of potential Distributed Denial of Service (DDoS) activity. The principle behind this approach is that DDoS attacks often disrupt the natural diversity of specific network traffic characteristics, leading to measurable reductions in entropy. Five distinct attributes are examined in each detection cycle, source IP address distribution, packet arrival time intervals, protocol type distribution, packet size distribution, source MAC address distribution.

The system identifies anomalies when either of the following conditions is met:

Entropy threshold breach

If the Renyi entropy value for any selected network traffic attribute drops below its respective dynamic entropy threshold, calculated from historical averages, this indicates a loss of diversity consistent with DDoS behaviour.

IP/MAC entropy mismatch

If source IP entropy differs from source MAC entropy, the system flags this as an IP or MAC spoofing attempt where, attackers generate traffic that claims to originate from a single legitimate IP but uses multiple or unusual MAC addresses—or vice versa.

Protocol-based flooding attacks: (e.g., TCP SYN, UDP, ICMP floods): These attacks significantly reduce protocol entropy as the traffic becomes dominated by a single protocol.

Low-rate DDoS attacks

Instead of saturating the bandwidth, these attacks send packets at precisely timed intervals to evade volume-based detection. This produces highly regular inter-packet arrival times, lowering packet arrival time entropy while other features may remain normal.

2.5 Attack attribution

Upon detection of an anomaly, the system evaluates host-level contributions to the entropy shift. This involves identifying IP addresses whose traffic patterns disproportionately influence the decline in entropy—such as sending excessive packets of a specific protocol, uniform packet sizes, or maintaining fixed source identifiers. Any host exhibiting dominant and abnormal behaviour across monitored attributes is labelled as a likely attacker.

2.6 Mitigation mechanism

Once the malicious source(s) are confirmed, the SDN controller issues high-priority flow rules to the OpenFlow switches to drop all traffic originating from the offending IP address(es). The mitigation rules are enforced with a finite timeout (e.g., 60 seconds), ensuring temporary isolation of suspicious hosts without long-term disruption to legitimate users.

2.7 Host recovery and continuous protection

Blocked hosts are re-evaluated at the end of their timeout period. If their traffic behaviour aligns with normal entropy patterns, the drop rule is removed, allowing them to resume communication. However, because the detection process runs continuously, any recurrence of abnormal patterns—whether due to renewed attacks or persistent malicious activity—will trigger immediate re-blocking. This dynamic cycle ensures rapid containment of threats while minimizing false positives.

The logical workflow of the framework is described through the algorithm 1

The framework employs Rényi entropy to detect and mitigate DDoS attacks in SDN by monitoring five network traffic features—source IP (E1), protocol type (E2), packet size (E3), packet inter-arrival time (E4), and source MAC (E5)—within fixed time windows. Traffic statistics are collected in real time from OpenFlow switches and the entropy of each attribute is calculated at the end of each time window. Dynamic thresholds are updated based on historical entropy values to adapt to changing network conditions. An attack is identified if any entropy value falls below its respective threshold, indicating abnormal concentration or irregularity, or if E1 and E5 differ, signalling IP or MAC spoofing. This unified detection strategy enables the framework to identify protocol-based flooding, spoofing, and low-rate DDoS attacks. Upon detection, malicious hosts are blocked using OpenFlow rules for a set duration, after which they are re-evaluated to restore legitimate access.

2.8 Experimental setup

A software-defined networking (SDN) infrastructure was simulated using the Mininet-WiFi virtual machine in order to assess the performance of the suggested Renyi entropy-based DDoS detection and mitigation framework. As shown in Fig. 4, the network topology included a ryu controller (c0), one OpenFlow-enabled switch (s1), and five hosts (h1, h2, h3, h4, and h5). The OpenFlow switch is directly connected to the five hosts, and the switch (s1) is connected to the SDN controller (c0). Several protocol types, including TCP, UDP and ICMP, were used to produce traffic between the hosts in both normal and attack circumstances. With the use of high rate traffic generation tools like hping3, DDoS attacks, such as TCP SYN, ICMP floods and UDP floods, were directed towards the controller utilizing the h2, h3, and h4 hosts. A Ryu application was used to integrate the renyi entropy-based detection logic into the SDN controller.

Fig. 2

SDN testbed created in mininet-wifi to evaluate the effectiveness of the framework.

2.9 Evaluation metrics

The following key metrics were used to assess the framework's performance on the SDN topology depicted in Fig. 2.

Throughput (Mbps)

The quantity of data that successfully transferred between two points in a network is known as throughput (Mbps). During normal and attack settings, the throughput was assessed using performance measuring tools like iperf at 10-second intervals between h1 and h5.

Detection Accuracy (DA)

The proportion of real attacks out of all assessed traffic events (attacks and regular traffic) that the framework correctly detects.

$\:Detection\:Accuracy\:\left(DA\right)=\:\frac{TP+TN}{TP+TN+FP+FN}\:\times\:100$

In this case, attack traffic that has been successfully detected as an attack is known as TP (True Positive). The usual traffic is accurately identified as normal is TN (True Negative). Normal traffic that is mistakenly categorized as attack is called FP (False Positive), and attack traffic that is mistakenly classed as normal is called FN (False Negative).

False Positive Rate (FPR)

The proportion of benign (non-malicious) hosts that are blocked after being mistakenly identified as attackers.

$\:False\:Positive\:Rate\:\left(FPR\right)=\:\frac{FP}{FP+TN}\:\times\:100$

3. Result and discussion

3.1 Throughput analysis under protocol-based DDoS attacks

To understand the resilience of the proposed framework against conventional flooding-based attacks, throughput performance was analysed under different traffic scenarios. Protocol-oriented DDoS attacks such as TCP SYN, UDP, and ICMP flooding were simulated in the SDN environment showed in figure-2 to observe their impact on network stability. Throughput between a selected source-destination pair (h1–h5) was measured and compared under normal conditions, during active attacks without any defence mechanism, and while the Renyi entropy–based framework was deployed. This evaluation highlights both the degree of network disruption caused by protocol floods and the effectiveness of the proposed solution in restoring stable throughput.

The changing of throughput at every second between h1 and h5 within 1 to 10 second time interval was evaluated in four traffic conditions (Normal, TCP SYN, UDP and ICMP flooding) in Fig. 3 when there is no defence mechanism in present. According to the Fig. 3, the throughput was continuously increasing and relatively high during normal conditions. However, in the attack condition (TCP SYN, UDP, ICMP flooding) the throughput continuously declines at a significant level. Because, the malicious traffic starts to takeover at the SDN controller and prevents it to respond timely to the legitimate network traffic events.

Fig. 3

Throughput in SDN in different conditions (normal & attack) without any defence mechanism.

On the other hand, when the renyi entropy-based DDoS detection and mitigation framework is in action, the controller starts to identify the attack sources and blocks them until they come back to the normal operations with the help of the framework. As a result, the normal traffic is restored and the throughput tries to remain high and steady even in the attack conditions as shown in Fig. 4.

Fig. 4

Throughput in SDN in different conditions (normal & attack) when the renyi entropy-based DDoS detection and mitigation framework is active.

To properly evaluate the effect of DDoS attack in the SDN environment showed in Fig. 2 as well as the effectiveness of the renyi entropy-based DDoS detection and mitigation framework against such type of attacks, the average throughput between h1 and h5 was evaluated in normal and attack conditions in Fig. 5. According to Fig. 5, a notable declination of average throughput was observed during TCP SYN, UDP and ICMP flooding attack when there is no defence mechanism is active. On the other hand, when the renyi entropy-based anti DDoS mechanism is in action, there is no significant declination of average throughput observed even in the attack condition.

These observations confirms that the renyi entropy-based DDoS detection and mitigation framework plays an important role in terms of detecting and mitigating protocol-based DDoS attacks in SDN environment as well as preserving the normal operations of the network even in active attack conditions.

Fig. 5

Average throughput between h1 & h5 after 10 seconds.

3.2 Throughput analysis under low-rate DDoS attacks:

Unlike high-volume floods, low-rate (or pulsing) DDoS attacks operate by sending periodic traffic bursts at a fixed time interval that appear less suspicious yet gradually degrade network performance. To assess the effectiveness of the proposed framework against such stealthy threats, a controlled low-rate TCP SYN and ICMP flooding attack scenario was created using periodic bursts with fixed inter-arrival times towards the controller (c0) with the help of h2, h3 and h4 hosts using hping3 tool in the SDN topology showed in figure-2. Throughput between the h1 and h5 hosts was then monitored under attack and defence conditions in 1 to 10 second time interval. This evaluation demonstrates how the time-interval–based Renyi entropy metric enables early detection of temporally structured traffic anomalies and ensures network stability even when traditional volume-based detectors might fail.

Figure-6 presents the devastating impact of low-rate TCP-SYN and ICMP flooding attack in SDN environment where the throughput continuously declines significantly in every second compared to the normal condition during such type of attack.

Fig. 6

Throughput in SDN during normal conditions and low-rate DDoS attacks without any defence mechanism.

On the other hand, when the renyi entropy-based DDoS detection and mitigation framework is active the throughput tries to remain steady or even better than the normal condition during such type of attack as shown in Fig. 7.

Fig. 7

Throughput during normal condition and low-rate attack when the renyi entropy-based framework is active.

Figure-8 shows the average throughput pattern after 10 seconds with and without any detection mechanism before and during low-rate DDoS attacks. A significant declination of average throughput was observed during low-rate attack without any defence mechanism against it. On the other hand, when the renyi entropy-based DDoS detection and mitigation framework is active there is no significant declination of average throughput during low-rate attacks. Because, the controller can successfully detect and prevent such type of activity by analysing time interval-based entropy with the help of the framework.

Fig. 8

Average throughput before and during low-rate DDoS attack with and without renyi entropy framework.

3.3. MAC spoofing attack design using scapy:

To evaluate the robustness of the Rényi entropy–based DDoS detection and mitigation framework against spoofing-based threats, a MAC spoofing attack was simulated using the Scapy tool. In this attack model, all the hosts within the Mininet topology in figure-2 were deliberately configured to share the same MAC address. Under normal network behaviour, each host maintains a unique MAC address, ensuring a one-to-one mapping between IP and MAC identities. However, by assigning identical MAC addresses to different hosts, the spoofing attack introduces inconsistencies in the network’s address resolution process.

During the attack, malicious hosts generated traffic streams with duplicate MAC identities but distinct IP addresses. This anomaly results in entropy mismatches between source IP distribution (E1) and source MAC distribution (E5). In legitimate traffic, both entropies follow similar patterns, but under spoofing, the Rényi entropy values diverge significantly. The framework leverages this mismatch condition (E1 ≠ E5) to reliably identify MAC/IP spoofing-based DDoS attempts.

Once detected, the SDN controller—through OpenFlow rules—automatically blocks the offending hosts and keeps them blocked until they come back normal behaviour (i.e., E1 = E5), thereby preventing them from overwhelming the controller with malicious traffic. This experiment confirmed the framework’s capability to differentiate spoofed traffic from legitimate flows and mitigate the attack in real time without affecting normal network operations.

Figure 9 illustrates the detection-to-response time of the framework under low-rate TCP SYN flooding, low-rate ICMP flooding, and IP/MAC spoofing attacks. The results show that the Renyi entropy–based detection mechanism consistently responds within ~ 2 seconds. The slight variations across attempts reflect the framework’s adaptive thresholding, which improves accuracy by learning from historical entropy values. This demonstrates its ability to handle both stealthy low-rate attacks and spoofing attempts in near real time.

Fig. 9

Detection to response time of the framework under low-rate and IP spoofing-based DDoS attacks.

Figure 10 presents the detection-to-response time of the framework under high-rate protocol-based DDoS attacks (TCP SYN, UDP, and ICMP flooding). The results show that detection time varies depending on the protocol type, with ICMP flooding generally taking longer to detect during the first attempt (2.658s) before stabilizing at lower values in subsequent attempts. TCP SYN flooding shows moderate detection latency, peaking around 2.293s–2.272s, while UDP flooding is detected more quickly, often below 1s after the first attempt. These observations indicate that the framework can consistently detect and respond to high-rate attacks across different protocols within a few seconds, ensuring timely mitigation before the attack severely degrades network performance.

Fig. 10

Detection to response time of the framework under high-rate protocol-based DDoS attacks.

3.4. Detection accuracy and false positive evaluation

To validate the performance of the proposed Renyi entropy–driven DDoS defence framework, both its detection accuracy and false alarm rate across multiple attack scenarios was assessed, including high-rate flooding (TCP SYN, UDP, ICMP), low-rate pulsing attacks, and IP/MAC spoofing-based threats. In each experiment, a subset of hosts was intentionally configured to launch attacks, while other hosts generated normal background traffic.

The results indicate that the framework consistently achieved detection accuracy of up to 80%, though the values slightly varied with changes in traffic patterns and protocol types. For example, when four malicious hosts were active, the system successfully identified and blocked all of them, with one additional legitimate host occasionally flagged as suspicious. In another case, three attackers were correctly detected while one was missed, but no false positives were reported. The summarized detection accuracy (DA) and false positive rate (FPR) are shown in Table 2.

Table 2
Detection accuracy and false positive rate in different situations.
Cases	Detection Accuracy (DA)	False Positive Rate (FPR)
Case 1: 5 hosts blocked (4 attackers + 1 false positive)	80%	50%
Case 2: 2 hosts blocked (2 attackers detected, 1 missed)	80%	0%

An important feature of the framework is its automatic host recovery mechanism. Once a host is blocked, its traffic is continuously re-evaluated. If its entropy measures return to normal thresholds, the framework lifts the blocking rule, allowing the host to resume normal communication. This adaptive strategy minimizes the long-term impact of false alarms and ensures legitimate nodes are not permanently penalized.

Overall, the experimental evaluation highlights that the Renyi entropy–based framework is capable of maintaining a high detection rate while keeping false positives under control. Unlike static rule-based approaches, the dynamic blocking and unblocking process provides resilience, ensuring that the SDN controller can defend against diverse attack types while preserving network availability for legitimate users.

The suggested approach used extremely few resources in terms of computing efficiency. During the testing phase, CPU utilization stayed modest, ranging from 0.0% for the most of the time to a maximum of 2.5% to 10% during the active detection and mitigation stages. The memory use was constant between 41.6 MB and 45.4 MB, suggesting that the changes made to the flow rule and entropy computation result in very little overhead.

All experiments were carried out in a Mininet-WiFi virtual testbed using a Ryu SDN controller. The simulation environment was executed on a machine equipped with an AMD Ryzen 5 processor (3.30 GHz), 16 GB RAM, and a 512 GB SSD running Windows 11 operating system.

4. Conclusion and future scope

This study proposed a Rényi entropy–based multi-parameter framework to detect and mitigate different categories of DDoS attacks in Software-Defined Networking (SDN) environments. By simultaneously analysing five traffic attributes—source IP, source MAC, protocol type, packet size, and packet inter-arrival time—the framework addressed limitations of single-feature entropy approaches and demonstrated resilience against high-rate protocol floods, low-rate stealthy attacks, and spoofing-based intrusions. The inclusion of the IP–MAC entropy mismatch condition allowed reliable detection of spoofing attempts, while the dynamic threshold adaptation mechanism ensured robustness to normal traffic fluctuations. Experimental results in a Mininet-WiFi environment confirmed that the proposed framework maintained high detection accuracy (≈ 80%) with low false positive rates, responded to anomalies within a few seconds (2.5), and restored throughput during ongoing attacks. Furthermore, the resource uses remained minimal, ensuring scalability and real-time deployment potential.

Although the framework proved highly effective, some challenges remain. Detection performance showed slight variation with different traffic distributions, and response time under ICMP flooding was marginally higher. In addition, evolving attack strategies such as encrypted or adversarial crafted traffic were not considered in this study.

For future research, the framework can be enhanced by combining Rényi entropy with lightweight machine learning to adapt the entropy order (α) dynamically and refine threshold sensitivity. Evaluating the system in larger, multi-domain SDN topologies will further validate scalability. Moreover, integrating cooperative mechanisms—such as blockchain-based trust or federated learning across multiple controllers—could strengthen resilience against distributed and coordinated attacks.

Funding Declaration

The author would like to acknowledge the support from the Ministry of Higher Education under the Fundamental Research Grant Scheme (FRGS) FRGS/1/2022/TK07/UNIMAP/02/82) for funding this project.

Author Contribution

Safayat Jamil Siam : wrote the main manuscript text and prepared all the figures. Mohd. Rashidi Che Beson, Ku Nurul Fazira Ku Azir and Md Maruf Hassan reviewed the manuscript and provide necessary suggestions to improve it.

References

Sadiku, I. B., Ajayi, W., Sakpere, W., John-Dewole, T., & Badru, R. A. (2022). Effect of traditional and software-defined networking on performance of computer network. Scientific Journal of Informatics, 9(2), 111–122. https://doi.org/10.15294/sji.v9i2.31315

Haji, S. H., Zeebaree, S. R., Saeed, R. H., Ameen, S. Y., Shukur, H. M., Omar, N., & Yasin, H. M. (2021). Comparison of software defined networking with traditional networking. Asian Journal of Research in Computer Science, 9(2), 1–18. https://doi.org/10.9734/ajrcos/2021/v9i230216

Awais, M., Asif, M., Ahmad, M. B., Mahmood, T., & Munir, S. (2021, July). Comparative analysis of traditional and software defined networks. In 2021 Mohammad Ali Jinnah University International Conference on Computing (MAJICC) (pp. 1–6). IEEE. https://doi.org/10.1109/MAJICC53071.2021.9526236

Zoraida, B. S. E., & Indumathi, G. (2024). A comparative study on software-defined network with traditional networks. TEM Journal, 13(1), 167. https://doi.org/10.18421/TEM131-17

Nunes, B. A. A., Mendonca, M., Nguyen, X. N., Obraczka, K., & Turletti, T. (2014). A survey of software-defined networking: Past, present, and future of programmable networks. IEEE Communications surveys & tutorials, 16(3), 1617–1634. https://doi.org/10.1109/SURV.2014.012214.00180

Tsai, P. W., Tsai, C. W., Hsu, C. W., & Yang, C. S. (2018). Network monitoring in software-defined networking: A review. IEEE Systems Journal, 12(4), 3958–3969. https://doi.org/10.1109/JSYST.2018.2798060

Xie, J., Guo, D., Hu, Z., Qu, T., & Lv, P., Control plane of software defined networks:A survey, Computer communications 67 (2015) 1–10. https://doi.org/10.1016/j.comcom.2015.06.004

Yu, Y., Li, X., Leng, X., Song, L., Bu, K., Chen, Y., … Xiao, X. (2018). Fault management in software-defined networking: A survey. IEEE Communications Surveys & Tutorials,21(1), 349–392. https://doi.org/10.1109/COMST.2018.2868922.

Ndiaye, M., Hancke, G. P., & Abu-Mahfouz, A. M. (2017). Software defined networking for improved wireless sensor network management: A survey. Sensors (Basel, Switzerland), 17(5), 1031. https://doi.org/10.3390/s17051031

10.

Rasool, Z. I., Ali, A., R. S., & Abdulzahra, M. M. (2021, February). Network management in software-defined network: A survey. In IOP Conference Series: Materials Science and Engineering (Vol. 1094, No. 1, p. 012055). IOP Publishing. https://doi.org/10.1088/1757-899X/1094/1/012055

11.

AbdelBaky, M., Diaz-Montes, J., & Parashar, M. (2018). Software-defined environments for science and engineering. The International Journal of High Performance Computing Applications, 32(1), 104–122. https://doi.org/10.1177/1094342017710706

12.

Banitalebi Dehkordi, A., Soltanaghaei, M., & Boroujeni, F. Z. (2021). The DDoS attacks detection through machine learning and statistical methods in SDN. Journal of Supercomputing, 77(3). https://doi.org/10.1007/s11227-020-03323-w

13.

Jain, A. K., Shukla, H., & Goel, D. (2024). A comprehensive survey on DDoS detection, mitigation, and defense strategies in software-defined networks. Cluster Computing, 27(9), 13129–13164. https://doi.org/10.1007/s10586-024-04596-z

14.

Balarezo, J. F., Wang, S., Chavez, K. G., Al-Hourani, A., & Kandeepan, S. (2022). A survey on DoS/DDoS attacks mathematical modelling for traditional, SDN and virtual networks. Engineering Science and Technology an International Journal, 31, 101065. https://doi.org/10.1016/j.jestch.2021.09.011

15.

Setitra, M. A., Fan, M., Benkhaddra, I., & Bensalem, Z. E. A. (2024). DoS/DDoS attacks in Software Defined Networks: Current situation, challenges and future directions. Computer Communications, 222, 77–96. https://doi.org/10.1016/j.comcom.2024.04.035

16.

Rashidi, C., Aljunid, S., Ghani, F., Anuar, M., & Fadhil, H. A. (2012). Code length optimization using flexible cross correlation (fcc) code in ocdma networks, in: IEEE 3rd international conference on photonics, IEEE, 2012, pp. 355–359. https://doi.org/10.1109/ICP.2012.6379828

17.

Keraf, N. D., Aljunid, S., Rashidi, C., & Ehkan, P. (2016). Performance of 2-d hybrid fccmdw code on ocdma system with the presence of phase induced intensity noise. ARPN J Eng Appl Sci, 11(22), 13203–13208.

18.

Rakissaga, W. A. O., Kouraogo, P. J., & Ouedraogo, T. F. (2025, May). Preventing DDoS Attacks in SDN Networks: A Model of Defense Against Packet-in Flooding. In 2025 IEEE World AI IoT Congress (AIIoT) (pp. 1025–1030). IEEE. https://doi.org/10.1109/AIIoT65859.2025.11105220

19.

Phu, A. T., Li, B., Ullah, F., Huque, T. U., Naha, R., Babar, M. A., & Nguyen, H. (2023). Defending SDN against packet injection attacks using deep learning. Computer Networks, 234, 109935. https://doi.org/10.1016/j.comnet.2023.109935

20.

Shah, S. Q. A., Khan, F. Z., & Ahmad, M. (2022). Mitigating TCP SYN flooding based EDOS attack in cloud computing environment using binomial distribution in SDN. Computer Communications, 182, 198–211. https://doi.org/10.1016/j.comcom.2021.11.008

21.

Kartadie, R., Kusjani, A., Warsito, R., Kusnanto, Y., & Harnaningrum, L. N. (2025). Implementation of ICMP flood detection and mitigation system based on software-defined network and sFlow-RT. TELKOMNIKA (Telecommunication Computing Electronics and Control), 23(3), 816–824. http://doi.org/10.12928/telkomnika.v23i3.26304

22.

Zhang, C., Hu, G., Chen, G., Sangaiah, A. K., Zhang, P. A., Yan, X., & Jiang, W. (2017). Towards a SDN-based integrated architecture for mitigating IP spoofing attack. Ieee Access : Practical Innovations, Open Solutions, 6, 22764–22777. https://doi.org/10.1109/ACCESS.2017.2785236

23.

Girdler, T., & Vassilakis, V. G. (2021). Implementing an intrusion detection and prevention system using Software-Defined Networking: Defending against ARP spoofing attacks and Blacklisted MAC Addresses. Computers & Electrical Engineering, 90, 106990. https://doi.org/10.1016/j.compeleceng.2021.106990

24.

Ahalawat, A., Babu, K. S., Turuk, A. K., & Patel, S. (2022). A low-rate DDoS detection and mitigation for SDN using Renyi Entropy with Packet Drop. Journal of Information Security and Applications, 68, 103212. https://doi.org/10.1016/j.jisa.2022.103212

25.

Jaraba, F., Mahajan, G., Jani, J., Ipu, R., & Butakov, S. (2024). Exploring current solutions against DDoS attacks in SDN environment. Procedia Computer Science, 238, 127–134. https://doi.org/10.1016/j.procs.2024.06.007

26.

Anusuya, R., Prabhu, M. R., Prathima, C., & Kumar, J. A. (2023). Detection of TCP, UDP and ICMP DDOS attacks in SDN Using Machine Learning approach. Journal of Survey in Fisheries Sciences, 10(4S), 964–971.

27.

Charleys, B. K., & Amuthaguka, D. (2024, March). Architecture and Attacks in Software Defined Networking, and its Security Using Machine Learning. In 2024 3rd International Conference on Sentiment Analysis and Deep Learning (ICSADL) (pp. 111–116). IEEE. https://doi.org/10.1109/ICSADL61749.2024.00024

28.

Kalkan, K., Altay, L., Gür, G., & Alagöz, F. (2018). JESS: Joint entropy-based DDoS defense scheme in SDN. IEEE Journal on Selected Areas in Communications, 36(10), 2358–2372. https://doi.org/10.1109/JSAC.2018.2869997

29.

Su, J., & Jiang, M. (2023). A hybrid entropy and blockchain approach for network security defense in SDN-based IIoT. Chinese Journal of Electronics, 32(3), 531–541. https://doi.org/10.23919/cje.2022.00.103

30.

Kareem, M. I., & Jasim, M. N. (2022). Entropy-based distributed denial of service attack detection in software-defined networking. Indonesian Journal of Electrical Engineering and Computer Science, 27(3), 1542–1549. http://doi.org/10.11591/ijeecs.v27.i3.pp1542-1549

31.

Mishra, A., Gupta, N., & Gupta, B. B. (2021). Defense mechanisms against DDoS attack based on entropy in SDN-cloud using POX controller. Telecommunication systems, 77(1), 47–62. https://doi.org/10.1007/s11235-020-00747-w

Yes