SwoRD- Switch flow table overflow and Resource Depletion attack detection in SDN

Low-rate attacks targeting flow tables have emerged as a major threat to Software-Defined Networking (SDN). These attacks disrupt services to the genuine users by overwhelming TCAM-enabled SDN switches with illegiti- mate packets, exploiting the limited storage capacity of flow tables. This paper introduces a modified low-rate attack called SOFT (Smart Overflow of Flow Table). In this attack, the adversary first observes network traffic to understand normal behavior, then generates attack packets that mimic legitimate traffic patterns. The SOFT attack’s stealthy and adaptive na- ture makes it more difficult to detect compared to other low-rate attacks. To defend against SOFT, this paper proposes SwoRD, a mitigation mecha- nism that continuously monitors flow tables and analyzes rule durations to assess potential threats. SwoRD introduces five innovative features Packet Flow Rate (PFR), Behavioral Anomaly Score (BAS), IP Aberration Score (IAS), Content Integrity (CI), and Protocol Analysis (PA) to enhance ma- chine learning-based detection using XGBoost. Upon detecting an anomaly, SwoRD triggers the detection module that identifies malicious flows and blocks the attack source. Experimental result shows that, SwoRD signifi- cantly reduces CPU and memory overhead while minimizing classification latency. It achieves an impressive detection accuracy of 98.81%, surpassing existing state-of-the-art methods to the best of our knowledge. Beyond improving detection efficiency, SwoRD safeguards flow table integrity and ensures the seamless transmission of legitimate traffic. Furthermore, the in- terpretability of the proposed model is examined using Local Interpretable Model-agnostic Explanations (LIME).