SISTAR: An Efficient DDoS Detection and Mitigation Framework Utilizing Programmable Data Planes

DDoS attacks have become one of the most severe cybersecurity threats, especially in application-layer attacks. With the emergence of Programmable Data Planes (PDPs), it has become possible to maintain line-rate throughput while achieving high detection rates, making them crucial in addressing DDoS challenges. However, due to the complexity of DDoS attacks, detection remains resource-intensive and overall network defense effectiveness is limited. This limitation becomes particularly pronounced in clustered environments, where coordinated defense is essential. This paper presents SISTAR, an innovative framework for efficient DDoS detection and mitigation using PDP. SISTAR integrates an improved Decision Tree - Constrained Threshold Segmentation (DT-CTS) model to achieve high detection accuracy while minimizing hardware resource usage. Through distributed deployment across multiple switches, SISTAR enhances network resilience by enabling rapid detection and coordinated response to DDoS attacks. We implement a prototype of SISTAR and evaluate its performance in a realistic testbed, the experimental results show that SISTAR surpasses existing models in terms of detection accuracy and resource efficiency. When combined with its alert pushback mechanism, SISTAR can effectively reduce network resource consumption caused by DDoS attacks.