Introduction

Distributed Denial of Service (DDoS) attacks remain one of the most prevalent and
destructive threats in modern networks, with their frequency, sophistication, and scale
continuing to increase. The emergence of Software-Defined Networking (SDN) has
transformed network architecture by decoupling the control plane from the data plane,
offering unprecedented programmability and centralized management. However, this
centralization also introduces a critical vulnerability: the SDN controller becomes an
attractive target for DDoS attacks, which can overwhelm its resources and compromise
the entire network infrastructure.

Traditional DDoS detection approaches typically rely on traffic monitoring and analysis at
the network edge or within dedicated security appliances. These methods often involve
significant processing overhead and introduce latency that is incompatible with the real-
time requirements of modern networks. Furthermore, they frequently depend on the
centralized controller for analysis, which exacerbates the very vulnerability they aim to
address. When detection systems rely on the controller, they can inadvertently amplify
the impact of an attack by consuming additional controller resources during detection.

Recent advances in programmable data planes, enabled by languages like P4

(Programming Protocol-independent Packet Processors) and programmable switching
chips, have created new opportunities for implementing sophisticated packet processing
directly in the forwarding plane. These technologies allow network devices to perform
complex operations at line rate without involving the control plane, potentially
transforming how security functions are implemented in SDN environments.

Concurrently, deep learning has demonstrated remarkable success in network security

applications, particularly in identifying complex patterns indicative of attacks. However,
conventional deep learning models are computationally intensive and memory-hungry,
making them challenging to deploy in resource-constrained network environments. The
need for lightweight yet effective deep learning approaches has become increasingly
apparent, especially for real-time security applications in networking contexts.

This paper addresses these challenges by introducing a novel approach that leverages
lightweight deep learning algorithms implemented directly on programmable data planes
for real-time DDoS detection in SDN environments. Our solution exploits the
computational capabilities of modern programmable switches to execute a carefully
designed Convolutional Neural Network (CNN) model that can detect various DDoS attack
patterns at line rate. By moving the detection intelligence from the control plane to the
data plane, we not only protect the controller from becoming overwhelmed during
attacks but also significantly reduce detection latency.

Our approach is distinguished by its ability to balance detection accuracy with resource
efficiency. We employ dimensionality reduction techniques and architectural
optimizations to create a neural network model with minimal parameters while
maintaining high detection performance. The model processes flow-level statistics
collected directly in the data plane, analyzing entropy-based features that capture the
statistical properties of network traffic without requiring deep packet inspection.

The remainder of this paper is organized as follows: Section 2 reviews related work in
DDoS detection, SDN security, and programmable data planes. Section 3 details our
proposed lightweight deep learning architecture and its implementation on
programmable switches. Section 4 describes our experimental setup and evaluation
methodology. Section 5 presents and discusses our results, comparing our approach with
state-of-the-art alternatives. Finally, Section 6 concludes the paper and outlines
directions for future research.