Abstract: In order to reduce the resource consumption in distributed denial of service (DDos) attack detection in software defined networks and improve the detection accuracy, we proposed a two-level joint detection model based on φ-entropy and IDBO-RF. Firstly,  abnormal traffic was filtered to complete the first level trigger detection by calculating the φ-entropy of the destination IP address. 
Secondly, the hyperparameters of the random forest were optimized by using the improved dung beetle optimization algorithm to construct the IDBO-RF model. Abnormal traffic was   mapped through the optimal feature subset to the IDBO-RF model for secondary confirmation detection of DDoS attacks. Through public datasets and simulation experiments, the proposed model effectively shortens the detection time, reduces controller resource consumption of the software defined networks, and achieves an accuracy of over 99% in both binary and multi-classification  detection of DDoS attacks, the average detection time is only 1.21 s, and the CPU occupancy rate for controller is only 33.45%, demonstrating  good generalization performance.

Key words: software defined network, distributed denial of service attack, φ-entropy, random forest, dung beetle optimization algorithm