P4-Assisted Slowloris DDoS attack detection in IoT environments by using ML and DL

abstract

Distributed denial of service (DDoS) attacks and their more sophisticated slow-rate variants continue to pose a major threat to next-generation networks, such as internet of things (IoT). Due to their limited computational and storage capacities, IoT devices often lack adequate security protections, leaving them vulnerable. Cybercriminals have exploited this problem to create botnets, which are then used to target vital infrastructures. Recent studies have employed Software-Defined Networking (SDN) and machine learning (ML) to autonomously identify slow-rate DDoS attacks. However, because recent works employ a centralized SDN controller, this strategy causes overload as the network size increases. To reduce the workload on the SDN controller, we propose a Programming Protocol-Independent Packet Processors (P4)-based framework that uses ML or deep learning (DL) to detect and mitigate Slowloris DDoS attacks in IoT networks. Our framework employs P4 programmable switches to collect network traffic characteristics and forward them to an intrusion detection system (IDS) for attack detection. We evaluated the framework using Mininet and BMv2 switches, demonstrating that it can detect Slowloris DDoS attacks with up to 98% accuracy using either of the following models: random forest (RF), k-nearest neighbor (KNN), decision tree (DT), long-short-term memory (LSTM) neural network, convolutional neural network (CNN), gated recurrent (GRU) neural network, and multi-layer perceptron (MLP) models. Mitigation is achieved by modifying the match action tables of the switches to block attacker IPs based on IDS results. © 2025 Elsevier B.V.