Research on Multi-Layer Defense against DDoS Attacks in Intelligent Distribution Networks

Abstract

With the continuous development of new power systems, the intelligence of distribution networks has been increasingly enhanced. However, network security issues, especially distributed denial-of-service (DDoS) attacks, pose a significant threat to the safe operation of distribution networks. This paper proposes a novel DDoS attack defense mechanism based on software-defined network (SDN) architecture, combining Rényi entropy and multi-level convolutional neural networks, and performs fine-grained analysis and screening of traffic data according to the amount of calculation to improve the accuracy of attack detection and response speed. Experimental verification shows that the proposed method excels in various metrics such as accuracy, precision, recall, and F1-score. It demonstrates significant advantages in dealing with different intensities of DDoS attacks, effectively enhancing the network security of user-side devices in power distribution networks.

1. Introduction

With the continuous development of new power systems, the intelligence of distribution networks has been greatly enhanced, and the networking and interconnection levels of user-side devices have significantly improved. Based on this network development, some scholars have proposed methods to prevent cyber-attacks using state estimation theories, such as distribution system state estimation (DSSE) [1] and blind false data injection attacks (FDIA) [2]. However, with these advancements, network security concerns have grown more severe, particularly distributed denial-of-service (DDoS) attacks, which present a considerable risk to the secure functioning of distribution networks [3]. DDoS attacks consume the resources of the target system through a large number of fake requests, rendering it unable to function normally, thereby affecting the stability and reliable operation of the power system [4,5,6,7]. Consequently, researching and developing effective DDoS attack defense mechanisms to ensure the network security of user-side devices in distribution networks has become a pressing issue that needs to be addressed.

In response to the DDoS attack defense mechanisms in distribution networks, substantial research has been conducted in both academia and industry. Among these, entropy-based methods play a crucial role in DDoS detection. Generally, entropy methods detect abnormal behavior by analyzing the distribution and variation of network traffic, thereby identifying and defending against DDoS attacks [8,9,10,11]. Li et al. [12] proposed a DDoS attack detection method based on φ-entropy for early detection of DDoS attacks in SDN networks. By adjusting the parameters of φ-entropy, this method amplifies the differences between normal and abnormal traffic characteristics, making it easier to detect attacks in the early stages of DDoS traffic formation. Anchal et al. [13] used Renyi entropy to detect DDoS attacks, enhancing detection accuracy and efficiency by selecting appropriate thresholds.

Trust value-based methods also play an important role in DDoS attack detection. These methods evaluate the behavior and interaction history of nodes to determine their trustworthiness, thereby identifying and defending against malicious attacks [14,15]. For example, Magdich et al. [16] proposed a trust management model that not only identifies trusted nodes but also uses machine learning techniques to detect and prevent malicious attacks by learning the characteristics of malicious node behavior. In another study, Wafa et al. [17] proposed a trust management model that analyzes the interaction behavior of nodes and assigns reasonable trust values to detect attacks. Additionally, Juan et al. [18] used mathematical models and statistical analysis to detect abnormal traffic, while Baskar [19] combined big data analysis techniques to accurately identify and defend against complex DDoS attacks.

Although these methods have shown excellent performance in DDoS attack detection, they still have some shortcomings in addressing the current complex types of DDoS attacks [20]. For instance, the use of fixed thresholds may not be flexible enough when dealing with dynamic DDoS attacks, leading to a decline in detection effectiveness. The methods proposed in [12,13] are not sufficiently accurate in low-density attacks. Similarly, the methods described in [16,17] do not respond promptly in dynamic network environments. Furthermore, as attack methods continue to evolve, these methods require constant updates and improvements to adapt to new network security challenges.

In recent years, deep learning methods have gradually become a new hotspot for researchers in the field of DDoS [21,22,23,24,25]. In addition, machine learning is a method capable of automatically learning models from data and making predictions. Common machine learning methods include support vector machine (SVM) [26], gated recurrent unit (GRU) [27], convolutional neural network (CNN) [28], and so on. Zhou et al. [29] combined big data analytics and machine learning methods to address network traffic monitoring and DDoS detection issues, achieving excellent results. Elsier et al. [30] utilized an ensemble classifier called V-NKDE to accurately detect and mitigate DDoS attacks in SDN. In the application of machine learning, CNN is increasingly favored in the field of DDoS detection due to its excellent feature extraction capabilities [31,32]. Cheng et al. [33] proposed a CNN detection method based on network flow grayscale matrix features. This method improves the accuracy of feature segmentation by extracting global and local features using convolution kernels of different spatial scales. Experiments demonstrate that this method enhances the robustness of the classifier, reduces false alarm and missed alarm rates, and effectively detects DDoS attacks in a big data environment. Harish [34] proposed a hybrid deep CNN-RF model for detecting low-level DDoS attacks. This method addresses the challenge of accurately identifying low-rate DDoS attacks, and the proposed model performs excellently in real-time detection scenarios, significantly improving the detection rate and reducing the false alarm rate. However, general machine learning models usually contain a large number of parameters, requiring high computational resources for training and inference, making deployment in resource-constrained environments challenging. Additionally, there is significant resource wastage when dealing with low-saturation DDoS attacks. Researchers need to find a balance between model accuracy and practical deployment feasibility to achieve an efficient and scalable DDoS detection system.

In summary, existing DDoS attack defense mechanisms must continuously improve and optimize in response to increasingly complex network environments and attack techniques to enhance the network security of user-side devices in power distribution networks. Based on the above research, this paper proposes a novel DDoS attack defense mechanism to ensure the safe operation of user-side devices in power distribution networks. The main contributions of this paper are as follows:

• Firstly, this paper conducts a DDoS security analysis on the new power distribution communication network based on SDN architecture.
• Secondly, with the progressive nature of computation in mind, a three-layer defense architecture is designed from shallow to deep, efficiently preventing resource wastage in detecting low-intensity DDoS attacks.
• Thirdly, this paper employs Rényi entropy for DDoS detection. This step is improved for complex DDoS attacks, and when combined with the random forest classifier, it effectively detects potential DDoS behaviors in the traffic passing through switches.
• Finally, this paper uses a dual defense method combining BiCNN and OneDCNN to inspect and filter port traffic, ensuring normal communication of valid traffic while eliminating malicious traffic.

2. System Models

2.1. Network Composition of User-Side Devices in Distribution Networks

Traditional active distribution networks comprise numerous devices, lines, distributed power sources, and energy storage facilities, generating vast amounts of data transmission. This imposes high demands on the transmission quality of the communication system. Due to practical constraints, how to utilize the limited resources in the current network to meet the vast and varied QoS (quality of service) demands has become a significant obstacle to the continued advancement of active distribution networks [35,36]. The emerging SDN framework can address these issues by separating the network control layer from the data distribution layer.

Software-defined networking is an architecture that achieves flexible and efficient management by decoupling the network control plane from the data plane [37,38,39]. Its implementation logic mainly relies on the OpenFlow protocol [40]. Through this protocol, centralized controllers, such as the Ryu controller, can directly communicate with network devices (e.g., switches and routers) and dynamically adjust data flow paths. The Ryu controller manages and allocates network resources based on predefined policies or real-time network status, ensuring efficient traffic transmission. The OpenFlow protocol allows controllers to send instructions to network devices, making network configuration and management automated and programmable, thereby enhancing network adaptability and scalability. The SDN network structure in distribution communication networks is shown in Figure 1.

One of the primary objectives of SDNs is to enable interaction with network devices, establishing an open network framework for everyone. This way, users can obtain a global topology view of the entire communication network and make global changes without accessing the unique hardware of each device. Ultimately, various large-scale network frameworks can be easily deployed and maintained while maintaining elasticity and robustness.

In Figure 2, user-side IoT devices in the SDN-based distribution networks consist of user-side IoT device terminals (hereinafter referred to as “terminals”), the user-side IoT device network switch OpenvSwitch (hereinafter referred to as “OVS”), and a user-side IoT device cloud and control platform (hereinafter referred to as “control platform” or “cloud”). These components are connected through the Internet [41,42,43].

The control platform is mainly responsible for storing and analyzing interactive information such as terminal measurement data and mobile application control instructions. It also manages the behavior of OVS through flow tables, serving as the core hub for transmitting information and control instructions for user-side IoT devices in distribution networks. The OVS handles the information transmission of terminals, receiving flow tables from the control platform to allocate routes for the terminals, collecting network status, and sending data for analysis to the controller. The terminal acts as the interaction node between the information domain and the physical domain. On one hand, it uploads measurement data collected by sensors to the cloud server, and on the other hand, it adjusts its operating power according to user and cloud control instructions to meet user needs. This information on physical interaction is reflected in the issuance and implementation of control instructions, specifically manifested in the execution of control instructions by terminals and the energy exchange between terminals and the power system.

2.2. DDoS

A distributed denial-of-service (DDoS) attack is a network attack where multiple compromised computers (often referred to as a botnet) simultaneously send a large number of requests to a target server, overwhelming the target system and preventing it from providing normal services [44,45]. Common forms of DDoS attacks include the following [46]:

-

SYN Flood: Attackers send a large number of SYN request packets to the target server but do not complete the TCP three-way handshake, thereby exhausting the server’s connection resources.

-

ICMP Flood: Using the ICMP protocol, attackers send numerous ping request packets to the target server, causing the server to become busy responding to these requests and depleting its resources.

-

UDP Flood: Attackers send a large number of UDP packets to random ports on the target server, forcing the server to continuously check and respond to these nonexistent requests, thus consuming the server’s computational resources.

Traditional DDoS attacks can typically be effectively mitigated through methods such as traffic rate limiting, blacklist filtering, and firewall rules. However, with the emergence of new types of DDoS attacks, such as those using spoofed IP techniques, these conventional defense techniques have become largely ineffective [47,48]. Previous defense methods against new types of DDoS attacks often relied on extensive data analysis, such as deep packet inspection (DPI) [49] and traffic behavior analysis [50]. These methods require analyzing large amounts of network data to identify abnormal traffic patterns and distinguish between legitimate and attack traffic. However, this demands high processing capabilities from data centers, resulting in significant resource consumption and performance bottlenecks. For instance, DPI requires real-time analysis of each packet’s content, while traffic behavior analysis necessitates long-term monitoring and analysis of traffic patterns.

Therefore, there is an urgent need for a more lightweight method that can effectively detect and defend against external attacks while minimizing computational resource usage, thereby enhancing overall network security and efficiency. To counteract new types of DDoS attacks, a multi-layered defense strategy can be employed, implementing different levels of traffic filtering at various stages to achieve real-time monitoring needs within limited computational capacity.

3. Methodology

3.1. DDoS Detection Based on Rényi Entropy

Rényi entropy is a generalized entropy measure used to describe the diversity and uncertainty of probability distributions. It was introduced by the Hungarian mathematician Alfréd Rényi and is defined as follows [13]:

$$H_{\alpha }\left(X\right)={\displaystyle \frac{1}{1-\alpha }}\log \left(\sum _{i=1}^n{p}_i^{\alpha }\right)$$

(1)

Here, $\alpha$ is the order of the Rényi entropy, and $p_i$ is the probability of the $i$-th state. $\alpha$ is a non-negative parameter referred to as the order. When $\alpha$ equals 1, the Rényi entropy is equivalent to the Shannon entropy [13].

$$H_1=-\sum _{i=1}^n{p}_i\log p_i$$

(2)

When $\alpha$ varies, the calculation of Rényi entropy exhibits different sensitivities to different parts of the probability distribution. For instance, when $\alpha$ < 1, Rényi entropy is more sensitive to events with low probabilities; when $\alpha$ > 1, Rényi entropy is more sensitive to events with high probabilities.

In network traffic analysis and DDoS attack detection, multi-order Rényi entropy is widely used to measure the complexity and uncertainty of network traffic. By calculating the Rényi entropy of network traffic, abnormal traffic patterns can be identified, which is crucial for detecting DDoS attacks.

However, since Rényi entropy is a threshold-driven detection method, its effectiveness diminishes when dealing with complex DDoS attacks. Complex DDoS attacks typically combine various attack techniques, such as flooding attacks, application-layer attacks, and reflection attacks, to increase the difficulty of defense. Additionally, attackers may simulate normal user behavior, obscuring traffic characteristics and continuously changing attack patterns and traffic features, making detection and defense more challenging. In such cases, standard Rényi entropy struggles to distinguish between normal and abnormal traffic because the actual threshold in the network keeps changing, and the sensitivity of the standard static-threshold Rényi method is insufficient.

To address the shortcomings of standard Rényi entropy in dealing with complex DDoS attacks, our work integrates a random forest classifier with Rényi entropy for detection. By using the random forest classifier to replace the threshold function, analysis of the characteristics of traffic distribution can be more comprehensive, thereby improving the detection capability against dynamic traffic pattern attacks.

For low-probability events (such as forged traffic), this paper use Rényi entropy with $\alpha$ < 1, for example:

$$H_{0.5}\left(X\right)={\displaystyle \frac{1}{1-0.5}}\log \left(\sum _{i=1}^n{p}_i^{0.5}\right)=2\log \left(\sum _{i=1}^n\sqrt{p_i}\right)$$

(3)

For overall complexity analysis, this paper use Shannon entropy with $\alpha$ = 1:

$$H_1\left(X\right)=-\sum _{i=1}^n{p}_i\log p_i$$

(4)

For high-probability events (such as frequently occurring traffic), this paper uses Rényi entropy with $\alpha$ > 1, such as collision entropy:

$$H_2\left(X\right)={\displaystyle \frac{1}{1-2}}\log \left(\sum _{i=1}^n{p}_i^2\right)=-\log \left(\sum _{i=1}^n{p}_i^2\right)$$

(5)

By integrating the results of multi-order Rényi entropy, our method can effectively respond to dynamic network environments, improving the accuracy and robustness of DDoS attack detection. This method enhances sensitivity to low-probability events while also accounting for overall complexity and the characteristics of high-probability events, providing a more comprehensive and efficient DDoS attack prevention solution.

3.2. Random Forest Classifier

The system aims to assess the vulnerability of a network over a series of time windows $T$ in the presence of external attacks characterized by the strategy ${\pi }_{att}$. Each node in the network, denoted as $v_i$, is assigned a probability of being attacked, represented as $p\left(v_i\right)={\pi }_{att}\left(v_i\right)$. Within each time window $\tau$, node $v_i$ generates a set of send-receive records that, to some extent, indicate the node’s susceptibility to attacks:

$$G\left(T\right)=\sum _{i=1}^n{p}_i\left(1-p_i\right)$$

(6)

where $G\left(T\right)$ is the Gini index, and $p_i$ is the probability of class $i$.

Combining Classification Results: During the prediction phase, the random forest determines the final classification result by integrating the predictions of all decision trees. For classification problems, a voting mechanism [51] is used, where the class with the most votes is selected as the final output.

$$\widehat{y}=\mathrm{mode}\left\{h_1\left(x\right),h_2\left(x\right),\dots ,h_B\left(x\right)\right\}$$

(7)

where $\widehat{y}$ is the final prediction result, and $h_b\left(x\right)$ is the prediction result of the b-th decision tree for the sample $x$.

The choice of the random forest classifier is driven by several key advantages that it offers. Firstly, random forest classifiers are known for their robustness and ability to handle high-dimensional data, which is essential in dynamic traffic environments where network features can be numerous and complex. Secondly, they provide a good balance between bias and variance, thus enhancing the stability and accuracy of the classification results. Additionally, the ensemble nature of random forests allows for effective management of overfitting, a common issue in machine learning models dealing with intricate patterns in attack data.

By incorporating the random forest classifier, our method can effectively associate Rényi entropy values with the detection of DDoS attacks in a high-dimensional space, enhancing the ability to identify attacks in dynamic traffic environments.

3.3. Convolutional Neural Network

Deep learning is an advanced method in the field of machine learning that processes complex data and tasks by mimicking the structure and functionality of the human brain. Convolutional neural networks (CNNs) [26] are a significant architecture within deep learning. CNNs utilize convolution operations and a hierarchical feature extraction mechanism to achieve efficient data processing and analysis.

The convolutional layer is the core component of CNNs. It performs convolution operations on input data through a local receptive field, extracting local features. The convolution operation [26] is defined as follows:

$$y_{i,j}^{\left(k\right)}=\sum _{m=0}^{M-1}\sum _{n=0}^{N-1}{x}_{i+m,j+n}\cdot w_{m,n}^{\left(k\right)}+b^{\left(k\right)}$$

(8)

where $y_{i,j}^{\left(k\right)}$ is the output of the k-th convolution kernel at position $(i,j)$, \($x_{i+m,j+n})$ is the value of the input data at position $\left(i+m,j+n\right),w_{m,n}^{\left(k\right)}$ is the weight of the k-th convolution kernel at position $\left(m,n\right),$ and $b^{\left(k\right)}$ is the bias of the k-th convolution kernel. The convolution kernel slides over the input data and generates a feature map through weighted summation, capturing features such as the edges and corners of the image.

The pooling layer is used for subsampling, reducing the data dimensionality and computational complexity while preserving important features. Common pooling operations include max pooling and average pooling. The mathematical expression [26] for max pooling is as follows:

$$P\left(i,j\right)=\underset{0\le m<p,0\le n<q}{max}x\left(pm+i,qn+j\right)$$

(9)

where $P$ represents the pooled output, $x$ is the input feature map, and $p$ and $q$ are the pooling window sizes. Max pooling selects the maximum value within the pooling window, reducing the spatial dimensions.

The fully connected layer performs a comprehensive feature extraction by flattening the feature map from the previous layer into a one-dimensional vector and then applying a linear transformation with a weight matrix. The mathematical expression [26] is as follows:

$$y=Wx+b$$

(10)

where $y$ is the output vector, $W$ is the weight matrix, $x$ is the input vector, and $b$ is the bias vector. The fully connected layer, combined with a nonlinear activation function, enables complex mapping of high-dimensional features.

During the training process of deep learning models, the Adam optimization algorithm is a commonly used gradient descent method. Adam combines the methods of momentum and RMSProp, enhancing training efficiency through adaptive learning rates. Its update rule [52] is as follows:

$$\begin{array}{c}{m}_t={\beta }_1{m}_{t-1}+(1-{\beta }_1)g_t\\ v_t={\beta }_2{v}_{t-1}+(1-{\beta }_2)g_t^2\\ {\widehat{m}}_t={\displaystyle \frac{m_t}{1-{\beta }_1^t}}\\ {\widehat{v}}_t={\displaystyle \frac{v_t}{1-{\beta }_2^t}}\\ {\theta }_{t+1}={\theta }_t-\alpha {\displaystyle \frac{{\widehat{m}}_t}{\sqrt{{\widehat{v}}_t}+ϵ}}\end{array}$$

(11)

where $m_t$ and $v_t$ are the first and second moment estimates of the gradient, ${\beta }_1$ and ${\beta }_2$ are the decay rates, $\alpha$ is the learning rate, $\theta$ is the parameter, $g_t$ is the gradient, and $ϵ$ is a small constant to prevent division by zero.

Through the collaborative work of convolutional layers, pooling layers, and fully connected layers, CNNs can effectively extract and integrate image features, thus performing excellently in tasks such as target classification and attack detection. Combined with the Adam optimization algorithm, the training process of CNNs is accelerated and optimized, improving the model’s generalization ability and accuracy.

4. System Design

This paper designs an efficient three-layer defense mechanism to counter DDoS attacks on user-side devices in power distribution networks. This mechanism combines the advantages of Rényi entropy, random forest classifier, binary convolutional neural network (BiCNN), and one-dimensional convolutional neural network (OneDCNN). Through multi-layer detection and filtering, it effectively enhances the accuracy and response speed of DDoS attack detection. The detailed design is as follows:

The first layer employs Rényi entropy and a random forest classifier for preliminary detection. On a global level, it extracts necessary data features from all flows, distinguishes flows by switches, and places them into containers. The computation module periodically samples from the containers for processing and then clears the containers. When an anomaly is detected, a warning is sent to the second layer. This layer operates in an independent thread.

The second layer uses BiCNN. Upon receiving an alert, this layer collects features from the suspicious switch by port and places them into a buffer. BiCNN performs calculations for each port in a polling manner and clears the buffer. If an anomaly is detected, a warning is sent to the third layer. This layer also operates in an independent thread.

The third layer is OneDCNN, running in the main thread of the controller. Unlike the first two layers, the third layer does not extract data from the buffer but directly filters and decides on packets, inspecting the content of each packet.

The design of this three-layer progressive mechanism offers several advantages:

• Without the first layer, BiCNN would need to run continuously, constantly monitoring each switch. Since BiCNN is based on CNN, its computational load and model size are significantly higher compared to the Rényi entropy and random forest combination, which retrieves fewer features. Under low-saturation DDoS attacks, most of the time, there are no abnormal data in the switch, leading to resource wastage.
• Without the second layer, OneDCNN would need to filter all packets across the entire network upon receiving the first layer’s alert, resulting in an excessive computational load that could crash the system.
• Without the third layer, the mechanism cannot participate in the controller’s decision-making process, rendering it unable to perform packet filtering.

This three-layer defense mechanism, through rational progressive computation and hierarchical design, effectively avoids resource wastage and computational overload. It performs excellently in responding to varying intensities of DDoS attacks, providing strong security for the safe operation of user-side devices in power distribution networks.

Rényi entropy paired with the random forest classifier is used in this paper to monitor the overall network situation. The monitoring features are as follows: Flow Duration, Total Fwd Packets, Total Backward Packets, Fwd Packets Length Total, Bwd Packets Length Total, Flow Bytes/s, and Flow Packets/s.

BiCNN (binary convolutional neural network) is the core component used for port filtering in this paper. Its structural design includes multiple convolutional layers, pooling layers, and fully connected layers. BiCNN, through its bidirectional structure—forward convolution and backward convolution—can simultaneously capture the forward and backward dependency information of data sequences, thereby better understanding the global features of traffic data.

In BiCNN, a binary parameterization method is used to simplify computational complexity and reduce parameters. Specifically, the input data is binarized to +1 or −1 before convolution operations. The binarization formula is as follows:

$$x^{\prime }=\left\{\begin{array}{c}+1\mathrm{i}\mathrm{f}x\ge \theta \\ -1\mathrm{i}\mathrm{f}x<\theta \end{array}\right.$$

(12)

Among them, θ is the threshold for binarization, typically set to the mean of the data or 0. Binarization has significant characteristics and advantages. Firstly, binarization standardizes the data range, making subsequent calculations more stable. Secondly, binarization greatly simplifies computational complexity, reducing floating-point multiplication operations to addition and subtraction operations, thereby decreasing the consumption of model parameters and computational resources. This makes BiCNN more efficient in handling large-scale data and suitable for running on low-power devices.

BiCNN, by extracting global features of traffic data, can initially identify potential attack ports. Specifically, BiCNN performs convolution operations on the data of each port, generating and analyzing feature maps to determine if there is abnormal traffic at the port. Once an abnormal port is detected, BiCNN marks the port as high-risk and forwards it to the next layer for further detection.

Table 1. Parameters of BiCNN.

Layername	Layerdesign (Kernel Size, (Padding), Stride)	Output
Input		100 × 18, 1 channel
Conv2d_1	7 × 7, 3, 1	100 × 18, 4 channels
Binary_conv2d_1	5 × 5, 2, 1	100 × 18, 8 channels
Conv2d_2	5 × 5, 2, 1	100 × 18, 16 channels
Pooling	2 × 2, (1,2)	50 × 9, 16 channels
Binary_conv2d_2	3 × 3, 1, 1	50 × 9, 16 channels
GAP		1 × 1, 16 channels
Dense		2

is the parameters used by BiCNN, and

Table 2. Features used by Rényi and BiCNN.

Featurename	Role
Flow Duration	Helps to identify the abnormal duration of potential DDoS attacks.
Total Fwd Packets	Checks for the abnormal increase in total packets sent forward.
Total Backward Packets	Checks for the abnormal increase in total packets sent backward.
Fwd Packets Length Total	Identifies the large data transfer of potential DDoS attacks.
Bwd Packets Length Total	Identifies the large data transfer of potential DDoS attacks.
Flow Bytes/s	Monitors the high data rate of potential DDoS attacks.
Flow Packets/s	Monitors the high packet rate of potential DDoS attacks.
Fwd Packets/s	Checks for the abnormal increase in packet rate sent forward.
Bwd Packets/s	Checks for the abnormal increase in packet rate sent backward.
Flow IAT Mean	Identifies the abnormal inter-arrival time of potential DDoS attacks.
Flow IAT Std	Measures the variation in inter-arrival time, detecting anomalies.
Flow IAT Max	Helps to measure the long delay in data packets during potential DDoS attacks.
Flow IAT Min	Identifies the short delay of data packets in potential DDoS attacks.
SYN Flag Count	Helps to identify the abnormal duration of potential DDoS attacks.
FIN Flag Count	Checks for the abnormal increase in total packets sent forward.
PSH Flag Count	Checks for the abnormal increase in total packets sent backward.
ACK Flag Count	Identifies the large data transfer of potential DDoS attacks.

is the features used by Rényi and BiCNN.

One-dimensional convolutional neural network (OneDCNN) is used in this paper for fine-grained screening of traffic packets. Unlike BiCNN, OneDCNN primarily extracts local features of traffic data through one-dimensional convolution operations. Its structural design includes one-dimensional convolutional layers, pooling layers, and fully connected layers.

The characteristic of OneDCNN lies in its efficient feature extraction capability. One-dimensional convolution can capture local patterns in the data, thereby quickly identifying abnormal features in the traffic, which is particularly important for real-time detection and response to DDoS attacks.

Table 3. Parameters of OneDCNN.

Layername	Layerdesign (Kernel Size, (Padding), Stride)	Output
Input		1 × 8, 1 channel
Conv1d_1	3, 1, 1	1 × 8, 8 channels
Conv1d_2	3, 1, 1	1 × 8, 16 channels
Conv1d_3	3, 1, 1	1 × 8, 32 channels
Pooling	2, 2	1 × 4, 32 channels
GAP		1 × 1, 32 channels
Dense		2

and

Table 4. Features used by OneDCNN.

Featurename	Role
proto	Protocol Type: Used to identify the protocol type used by the data packet; different protocol types may behave differently in DDoS attacks.
total_length	Total Length: The total length of the data packet; unusually large or small packet lengths may be a characteristic of DDoS attacks.
ttl	Time to Live: The lifetime of the data packet in the network; abnormal TTL values may indicate abnormal behavior in the network.
src_port	Source Port: The port number of the source device; random source port numbers are often used in DDoS attacks.
dst_port	Destination Port: The port number of the target device; DDoS attacks typically focus on certain commonly used service ports.
seq	Sequence Number: The sequence number in a TCP connection; abnormal sequence numbers may indicate forged data packets.
ack	Acknowledgment Number: The acknowledgment number in a TCP connection; abnormal acknowledgment numbers may indicate forged acknowledgment packets.
flags	Flags: TCP flag bits; abnormal combinations of flag bits may be a sign of DDoS attacks.
window_size	Window Size: The receiving window size; abnormal window sizes may indicate network congestion or attack behavior.
udp_total_length	UDP Total Length: The total length of the UDP data packet; abnormal lengths may be a characteristic of DDoS attacks.
icmp_type	ICMP Type: The type of ICMP message; certain types of ICMP messages sent in large quantities may be part of a DDoS attack.
icmp_code	ICMP Code: The code of the ICMP message; specific ICMP codes may be used to identify attack types.
icmp_data_length	ICMP Data Length: The length of the data portion of the ICMP message; abnormal data lengths may indicate the presence of attack behavior.

represent the parameters and feature sets utilized by OneDCNN, respectively.

In specific applications, OneDCNN is used to further screen the traffic packets of high-risk ports marked by BiCNN. OneDCNN extracts local features and classifies them through one-dimensional convolution operations on the traffic packets. Specifically, OneDCNN analyzes the feature maps of each packet and determines whether the packet is DDoS attack traffic based on the output of the fully connected layers. Based on OneDCNN’s judgment, the system decides whether to discard the packet, thereby filtering malicious traffic. This significantly reduces the consumption of computational resources and is suitable for DDoS attack defense on the user-side devices of the power distribution network.

5. Results and Validation

This chapter provides a detailed description of the experimental design, the construction of the experimental platform, the definition of evaluation criteria, and the analysis of experimental results to comprehensively verify the effectiveness and superiority of the proposed method.

5.1. Experimental Topology

In this experiment, we utilized the following equipment in

Table 5. Experimental setup and parameters.

Devices	Parameter
CPU	Intel(R) Core(TM) i9-13900HX 2.20 GHz
GPU	RTX 4070 Laptop
Environment	Python 3.7, PyTorch 2.3.1, Cuda 12.5.78
OS	Ubuntu 18.04.1

:

This method used the Mininet platform to construct a complex ring network topology. Specifically, this topology consists of six Open vSwitches (OVS) forming a ring, with each OVS connected to three hosts. To simulate DDoS attacks, we employed the hping3 tool to generate various types of attack traffic, including UDP Flood, SYN Flood, and ICMP Flood attack modes. The target IP addresses of the attacks were constantly changed to mimic the scenario of attackers forging IPs for real-time dynamic attacks. The network topology is illustrated in Figure 3.

This figure illustrates the process of a DDoS (distributed denial of service) attack within a network environment. The diagram includes various nodes and their interactions, described in detail as follows:

Controller (10.12.53.192): This central server is responsible for coordinating and managing network operations.

Open vSwitches: Two open virtual switches, labeled as Open vSwitch 3 and Open vSwitch 4, are connected to the controller and manage the flow of data between different nodes.

Description of the attack process:

Attack Node (10.0.4.3): The attacker sends a large amount of malicious traffic through the attack node. This traffic is sent through Open vSwitch 4 into the network, aiming to overwhelm network resources.

Spoofed IP Node (10.0.5.1): The attacker uses a node with a spoofed IP address to hide the real source of the attack. This spoofed traffic makes detection and defense more difficult. The spoofed traffic also enters the network through Open vSwitch 4.

The Victim Node (10.0.3.1): The malicious traffic is routed through Open vSwitch 3 and eventually reaches the victim node. The victim node becomes overwhelmed due to the excessive traffic, leading to service disruption or denial of service.

Normal Communication Nodes (10.0.3.2, 10.0.3.3, 10.0.4.1, and 10.0.4.2): These nodes, connected to Open vSwitch 3, experience severe communication disruption due to network congestion and resource competition.

Normal Communication Nodes (10.0.4.1 and 10.0.4.2): These nodes, connected to Open vSwitch 4, also suffer from degraded communication quality or interruptions as network resources are consumed by the malicious traffic.

This structure demonstrates how attackers coordinate a DDoS attack through multiple nodes, targeting the victim node to overload it and disrupt normal communication across the network. The red dashed lines represent the management connections between the controller and the open virtual switches, while the solid black lines denote the data connections between the switches and the nodes.

By dynamically changing the attack IPs, this method can more accurately simulate DDoS attack scenarios in real network environments and evaluate the performance of various detection methods under different conditions.

5.2. Baselines

To validate the effectiveness of our method, this method selected the following classic baseline methods for comparison:

• φ-entropy [10]: This method analyzes traffic characteristics using φ-entropy to achieve early attack detection. φ-entropy amplifies the characteristic differences between different types of data by adjusting parameters. As a non-machine learning method, it performs well in early attack detection, particularly suited for detecting anomalous traffic by emphasizing data differences through parameter adjustments.
• Spark Streaming and Flink [27]: This method proposes an online internet traffic monitoring and DDoS attack detection approach based on big data frameworks (Spark Streaming and Flink). It is suitable for large-scale internet traffic monitoring and achieves high detection rates through machine learning techniques.
• 3Dual-CNN [26]: In the first two layers of the three-layer detection mechanism proposed in this paper, CNN methods are utilized. By leveraging convolutional layers, pooling layers, and fully connected layers, CNNs effectively extract and integrate image features, excelling in tasks such as target classification and attack detection. However, the effectiveness of CNNs requires a significant number of parameters.
• Dual Rényi [11]: In the first two layers of the three-layer detection mechanism proposed in this paper, Rényi entropy methods are used, demonstrating the superiority of introducing the random forest classifier in our work and using the BiCNN method in the second layer.

5.3. Evaluation Criteria

To comprehensively evaluate the performance of the model under different attack intensities, we used the following four commonly used classification performance metrics: accuracy, precision, recall, and F1-score. To provide clarity on these metrics, let’s denote and describe the definitions of TP, TN, FP, and FN:

TP (True Positives): The number of positive samples that are correctly predicted as positive by the model.

TN (True Negatives): The number of negative samples that are correctly predicted as negative by the model.

FP (False Positives): The number of negative samples that are incorrectly predicted as positive by the model.

FN (False Negatives): The number of positive samples that are incorrectly predicted as negative by the model.

These terms are used to evaluate the model’s performance across various metrics.

Accuracy represents the proportion of correctly predicted samples among all samples.

$$\mathrm{A}\mathrm{c}\mathrm{c}\mathrm{u}\mathrm{r}\mathrm{a}\mathrm{c}\mathrm{y}={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}$$

(13)

Precision indicates the proportion of true positive samples among the predicted positive samples.

$$\mathrm{Precision}={\displaystyle \frac{TP}{TP+FP}}$$

(14)

Recall represents the proportion of actual positive samples that are correctly predicted as positive.

$$\mathrm{R}\mathrm{e}\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{l}={\displaystyle \frac{TP}{TP+FN}}$$

(15)

The F1-score is the harmonic mean of precision and recall, considering both the model’s precision and recall.

$$\mathrm{F}1-\mathrm{score}={\displaystyle \frac{2\cdot \mathrm{Precision}\cdot \mathrm{Recall}}{\mathrm{Precision}+\mathrm{Recall}}}$$

(16)

5.4. Attack Modes

In general, to comprehensively evaluate the performance of the proposed method under different attack intensities, this method divides the attack intensity into multiple different proportions as shown in

Table 6. DDoS attack intensity in test samples.

Types	Intensive of DDoS Attack
Single Value	15	16	17	18	19	20
Interval	1–3%	4–7%	8–10%		11–14%

:

Data are processed in batches of 100 entries and integrated into a two-dimensional matrix, which is then input into the neural network model. The specific process is as follows:

• Each batch contains 100 entries to facilitate model training and testing.
• Two types of batches are extracted from the dataset: one type contains entirely benign data, labeled as benign; the other type contains attack data, labeled as attack, with the proportion of attack data allocated according to the aforementioned distribution.

5.5. Results Analysis

By comparing the experimental results of different methods under various attack modes, this method conducted an in-depth analysis of the detection performance of each method.

In the above

Table 7. Analysis of Rényi entropy results.

Intensive of DDoS	Acc	Pre	Rec	F1
1–3%	0.562	0.733	0.193	0.301
4–7%	0.705	0.901	0.452	0.599
8–10%	0.832	0.902	0.744	0.813
11–14%	0.964	0.980	0.941	0.959
15%	0.972	0.943	1	0.971
16%	0.963	0.942	0.982	0.961
17%	0.971	0.943	1	0.971
18%	0.965	0.935	1	0.966
19%	0.954	0.909	1	0.952
20%	0.965	0.935	1	0.966

, this method analyzes the Rényi entropy results. As the DDoS intensity increased (from 1% to 20%), the changes in various metrics were as follows. The accuracy (Acc) changed from 0.562 to 0.965, the precision (Pre) changed from 0.733 to 0.935, the recall (Rec) changed from 0.193 to 1, and the F1-score (F1) changed from 0.301 to 0.966. The Rényi entropy method performed well under moderate-intensity DDoS attacks, showing a stable improvement, particularly in recall (Rec) and F1-score (F1). This indicates that Rényi entropy has strong robustness in detecting DDoS attacks of varying intensities.

As shown in

Table 8. Analysis of BiCNN results.

Intensive of DDoS	Acc	Pre	Rec	F1
1–3%	0.670	0.793	0.462	0.582
4–7%	0.896	0.908	0.885	0.896
8–10%	0.932	0.922	0.940	0.931
11–14%	0.935	0.922	0.952	0.936
15%	0.943	0.893	1	0.943
16%	0.935	0.900	0.982	0.938
17%	0.955	0.925	0.993	0.956
18%	0.930	0.890	0.980	0.933
19%	0.935	0.891	0.994	0.938
20%	0.960	0.925	1	0.961

, with the increase in DDoS attack intensity, the accuracy of the BiCNN model significantly improves, reaching its highest value of 0.96 at 20% attack intensity. Similarly, the precision, recall, and F1-score also improve with the increasing attack intensity, performing particularly well at 15% and 20% attack intensities. This indicates that the BiCNN model has strong robustness and reliability under high attack intensities.

Specifically, at an attack intensity of 1–3%, the model’s accuracy is 0.67, the recall is relatively low at 0.462, and the F1-score is 0.582. However, when the attack intensity reaches 20%, the model’s accuracy increases to 0.96, with recall and F1-scores reaching 1 and 0.961, respectively. This trend demonstrates that the BiCNN model can effectively cope with stronger DDoS attacks, with significant improvements in all performance metrics as the attack intensity increases.

In the above

Table 9. Analysis of OneDCNN results.

Accuracy	Precision	Recall	F1-Score
0.972	0.993	0.975	0.984

, the OneDCNN model performs excellently across all metrics at a single interval intensity. The model achieves an accuracy of 0.972, a precision of 0.993, a recall of 0.975, and an F1-score of 0.984. These results indicate that the OneDCNN model has very high detection performance, effectively identifying DDoS attack traffic in the test set. The model demonstrates good stability and consistency, without any signs of overfitting, proving its generalization capability in traffic matrices.

In Figure 4, the diagram illustrates the training loss of BCNN and OneDCNN over 300 epochs. BCNN starts with a high initial loss value of 577.16, showing a rapid decrease, with a final result of 0.0034. On the other hand, OneDCNN begins with a much lower initial loss value of 9.03 and has a final result of 0.0899. They both demonstrate good convergence.

In

Table 10. Baseline comparison by different DDoS intensities.

Methods	Intensive in Article	Acc.% shown in Article	Acc.% by 10%	Acc.% by 6%
φ-entropy [10]	36	100	58	54.8
Spark Streaming and Flink [27]	33	94.1	63.4	58.02
DualCNN [26]	95	99.13	92.3	81
DualRenyi [11]	30	98.2	70.2	50.4
Ours	None	None	90.8	72.3

, this method summarizes the accuracy measured for various methods under the attack intensity (Column 2) reported in the original text. Additionally, we measured the accuracy at 10% and 6% attack intensities under the same conditions.

By comparing the detection accuracy of different methods, it is evident that the method proposed in this paper performs exceptionally well under all attack intensities. Notably, at a 10% DDoS attack intensity, its detection accuracy reaches 90.8%, which is second only to the dual CNN method’s 92.3%. However, it has significant advantages in model complexity and computational efficiency.

The Spark Streaming and Flink method performs outstandingly under high-intensity attacks (such as 33%), but its accuracy decreases under low-intensity attacks (10% and 6%). This decline may be due to the insufficient sensitivity of the large data framework in handling lower intensity attacks. The φ-entropy method excels in early attack detection but is relatively weaker under high-intensity attacks.

The dual CNN method performs excellently under all test conditions, achieving the highest accuracy of 92.3% at 10% attack intensity. However, it has high computational complexity and a large model size. On the other hand, the dual Rényi method shows relatively weaker performance under low-intensity attacks but still performs reasonably well at a 10% attack intensity.

The method proposed in this paper combines the advantages of Rényi and random forest classifiers, along with the efficiency of a binarized CNN. It maintains high detection accuracy while significantly reducing model complexity and computation time, demonstrating good application prospects.

Despite our method performing slightly worse in certain cases, the dual CNN method requires higher computational complexity and longer computation times.

For the distribution system operator (DSO), the high computational load of the dual CNN method may lead to longer response times and increased operational costs, potentially affecting system stability.

For consumers, longer computation times could mean delays in detecting and mitigating issues, increasing the risk of power outages and service interruptions. In contrast, our method, with lower computational requirements, allows for quicker responses and more consistent service, reducing the impact on consumers.

In

Table 11. Comparison of parameter quantities.

Parameters Type	DualCNN	Ours
Learnable Parameter	227,132	17,916
Size of Model	886 KB	213 KB
Time Cost (ms)	0.798	0.377

, we compared the aforementioned DualCNN model with our proposed model in terms of parameter count, model size, and time cost.

Firstly, our model significantly reduces the number of learnable parameters, from 227,132 parameters in DualCNN to 17,916, a reduction of approximately 92%. Secondly, in terms of model size, our model decreases from 886 KB in DualCNN to 213 KB, a reduction of about 76%. Lastly, in terms of time cost, our model’s processing time is 0.377 milliseconds, compared to 0.798 milliseconds for DualCNN, a reduction of over 50%.

These results indicate that the model proposed in this paper demonstrates a significant advantage in terms of computational resources and time cost while ensuring reliable detection accuracy, making it a better choice for tasks requiring fast and efficient DDoS detection.

6. Conclusions

This paper proposes a novel DDoS attack defense mechanism based on the SDN architecture, which significantly improves the accuracy and response speed of DDoS attack detection through multi-level detection and filtering. In the analysis of Rényi entropy results, as the DDoS intensity increases (from 1% to 20%), all metrics (Acc, Pre, Rec, F1) show stable improvement. Particularly under moderate-intensity DDoS attacks, the Rényi entropy method demonstrates strong robustness. The OneDCNN model performs exceptionally well at a single interval intensity, exhibiting extremely high detection performance in terms of accuracy, precision, recall, and F1-score, proving its generalization ability and stability in traffic matrices. At DDoS intensities of 10% and 6%, the proposed method shows significant advantages in detection accuracy and stability, especially when compared to traditional methods, reflecting higher detection precision.

In summary, the three-layer defense architecture designed in this paper, through a progressively increasing computation mode, effectively avoids the waste of computational resources, especially when detecting low-saturation DDoS attacks, thereby significantly improving detection efficiency. The proposed method performs excellently in coping with DDoS attacks of varying intensities, providing strong assurance for the secure operation of distribution network user-side devices.

Future research will focus on optimizing the model structure and algorithm to tackle more complex attack scenarios and improve the real-time capabilities of the defense mechanism.