FlowPrint-P4: Lightweight Behavioral Anomaly Detection for DDoS Mitigation in Programmable Networks

Abstract

Distributed Denial-of-Service (DDoS) attacks continue to pose significant threats to modern programmable and IoT-enabled networks by overwhelming bandwidth, exhausting server resources, and degrading service availability. Traditional mitigation approaches largely depend on centralized control-plane analysis and volumetric thresholds, which introduce detection latency and remain ineffective against stealthy or low-rate attacks. This paper presents FlowPrint-P4, a lightweight in-network DDoS detection and mitigation framework based on behavioral flow fingerprinting implemented directly within P4-programmable data planes. The proposed framework analyzes flow-level behavioral features, including TTL variance, SYN/ACK asymmetry, TCP flag anomalies, burstiness patterns, and connection churn rates, enabling real-time identification of malicious traffic without reliance on external controllers. FlowPrint-P4 performs inline detection and packet tagging entirely within the switch pipeline, allowing immediate mitigation actions such as dropping, rate limiting, or redirection at line rate. Experimental evaluation was conducted using the CIC-IoT2023, ToN-IoT, and CIC-IoMT2024 benchmark datasets within a BMv2-Mininet programmable networking environment. Results demonstrate high detection effectiveness across multiple DDoS categories, including TCP SYN floods, UDP floods, ICMP floods, reflection/amplification attacks, and slow-rate application-layer attacks. The framework achieved high classification accuracy with low false positive and false negative rates while maintaining scalability and low processing overhead. These findings demonstrate the feasibility of behavioral fingerprinting as a practical and efficient approach for real-time in-network DDoS mitigation in programmable networks.