Proactive DDoS Detection and Mitigation in Decentralized Software-Defined Networking via Port-Level Monitoring and Zero-Training Large Language Models

Centralized Software-Defined Networking (cSDN) offers flexible and programmable control of networks but suffers from scalability and reliability issues due to its reliance on centralized controllers. Decentralized SDN (dSDN) alleviates these concerns by distributing control across multiple local controllers, yet this architecture remains highly vulnerable to Distributed Denial-of-Service (DDoS) attacks. In this paper, we propose a novel detection and mitigation framework tailored for dSDN environments. The framework leverages lightweight port-level statistics combined with prompt engineering and in-context learning, enabling the DeepSeek-v3 Large Language Model (LLM) to classify traffic as benign or malicious without requiring fine-tuning or retraining. Once an anomaly is detected, mitigation is enforced directly at the attacker’s port, ensuring that malicious traffic is blocked at their origin while normal traffic remains unaffected. An automatic recovery mechanism restores normal operation after the attack inactivity, ensuring both security and availability. Experimental evaluation under diverse DDoS attack scenarios demonstrates that the proposed approach achieves near-perfect detection, with 99.99% accuracy, 99.97% precision, 100% recall, 99.98% F1-score, and an AUC of 1.0. These results highlight the effectiveness of combining distributed monitoring with zero-training LLM inference, providing a proactive and scalable defense mechanism for securing dSDN infrastructures against DDoS threats.

💡 Research Summary

The paper addresses the inherent scalability and reliability challenges of centralized Software‑Defined Networking (cSDN) by focusing on decentralized SDN (dSDN), where multiple local controllers manage network segments independently. While dSDN mitigates the single‑point‑of‑failure problem, it remains highly susceptible to Distributed Denial‑of‑Service (DDoS) attacks because each controller can be overwhelmed by malicious traffic. To protect dSDN, the authors propose a detection and mitigation framework that relies on lightweight port‑level statistics and a zero‑training inference approach using the DeepSeek‑v3 large language model (LLM).

Data collection and preprocessing
Each local controller periodically gathers per‑port metrics such as inbound/outbound byte counts, packet counts, average packet size, and a short time‑window identifier. These statistics are extremely low‑overhead compared with flow‑level feature extraction used in traditional IDS. The metrics are formatted into a structured prompt that includes a few labeled examples (both benign and malicious) and a natural‑language query asking the model to classify the current port’s traffic. This in‑context learning step enables the LLM to adapt its massive pre‑trained knowledge to the specific detection task without any weight updates.

Inference pipeline
The prompt‑augmented data are sent to an edge server that calls the DeepSeek‑v3 API. The model returns a label (“benign” or “malicious”) together with a confidence score. If the label is malicious, the corresponding local controller instantly installs an OpenFlow rule that drops all packets arriving on the offending port. The rule remains active only while the port continues to exhibit anomalous behavior; a quiet period (e.g., 30 seconds) triggers automatic rule removal, restoring normal traffic flow. This “port‑level mitigation” ensures that attack traffic is blocked at its source, preserving the rest of the network’s performance.

Experimental setup
The authors built a hybrid testbed using Mininet and real OpenFlow switches, deploying ten local controllers and fifty switches to emulate a realistic dSDN topology. Four representative DDoS attack families—UDP flood, SYN flood, HTTP GET flood, and DNS‑reflection—were launched against randomly selected hosts, each lasting five minutes. Normal traffic included web browsing, file transfers, and video streaming. Port statistics were sampled every 0.5 seconds, and the detection pipeline operated with sub‑150 ms latency.

Results
Across all attack scenarios, the framework achieved 99.99 % accuracy, 99.97 % precision, 100 % recall, a 99.98 % F1‑score, and an AUC of 1.0. Compared with a conventional machine‑learning‑based IDS, the LLM‑driven approach reduced detection delay by more than half while keeping CPU utilization on each local controller below 3 %. The automatic recovery mechanism successfully reinstated traffic after the attack subsided, demonstrating minimal impact on service availability.

Key contributions

1. Port‑level monitoring – Shows that minimal per‑port counters are sufficient for high‑fidelity DDoS detection in dSDN.
2. Zero‑training LLM inference – Introduces a novel security paradigm where a pre‑trained LLM is repurposed via in‑context learning, eliminating the need for costly data labeling and model retraining.
3. Source‑centric mitigation – Enforces blocking directly at the attacker’s port, preventing attack traffic from propagating through the network.
4. Self‑healing operation – Provides an automated rule‑lifetime management scheme that restores normal operation without human intervention.

Limitations and future work
The reliance on external LLM APIs raises concerns about latency variability, cost, and data privacy. Prompt design is currently manual; automated prompt generation or optimization could improve robustness across heterogeneous network environments. Moreover, scalability to very large dSDN deployments and applicability to other threat classes (e.g., switch‑level poisoning, insider attacks) remain open research questions.

In summary, the paper presents an innovative, practical solution that combines lightweight network telemetry with state‑of‑the‑art language‑model inference to achieve near‑perfect DDoS detection and rapid, localized mitigation in decentralized SDN infrastructures. The results suggest that LLM‑based in‑context learning can become a valuable tool in the network security arsenal, especially for environments where rapid adaptation and minimal operational overhead are paramount.