A DDoS Tracking Scheme Utilizing Adaptive Beam Search with Unmanned Aerial Vehicles in Smart Grid

Abstract

As IoT technology advances, the smart grid (SG) has become crucial to industrial infrastructure. However, SG faces security challenges, particularly from distributed denial of service (DDoS) attacks, due to inadequate security mechanisms for IoT devices. Moreover, the extensive deployment of SG exposes communication links to attacks, potentially disrupting communications and power supply. Link flooding attacks (LFAs) targeting congested backbone links have increasingly become a focal point of DDoS attacks. To address LFAs, we propose integrating unmanned aerial vehicles (UAVs) into the Smart Grid (SG) to offer a three-dimensional defense perspective. This strategy includes enhancing the speed and accuracy of attack path tracking as well as alleviating communication congestion. Therefore, our new DDoS tracking scheme leverages UAV mobility and employs beam search with adaptive beam width to reconstruct attack paths and pinpoint attack sources. This scheme features a threshold iterative update mechanism that refines the threshold each round based on prior results, improving attack path reconstruction accuracy. An adaptive beam width method evaluates the number of abnormal nodes based on the current threshold, enabling precise tracking of multiple attack paths and enhancing scheme automation. Additionally, our path-checking and merging method optimizes path reconstruction by merging overlapping paths and excluding previously searched nodes, thus avoiding redundant searches and infinite loops. Simulation results on the Keysight Ixia platform demonstrate a 98.89% attack path coverage with a minimal error tracking rate of 2.05%. Furthermore, simulations on the NS-3 platform show that drone integration not only bolsters security but also significantly enhances network performance, with communication effectiveness improving by 88.05% and recovering to 82.70% of normal levels under attack conditions.

1. Introduction

As Internet of Things (IoT) technology advances, its integration into industrial systems has grown increasingly prevalent. These applications span a wide array of sectors, including energy management, traffic monitoring, environmental governance, and smart healthcare [1,2]. Concurrently, the trend toward large-scale, collaborative operations among nodes heralds a new era in network development. The smart grid (SG), a pivotal IoT application model within industrial infrastructure, serves as a critical hub for power generation and distribution to various sectors and households [3]. Equipped with advanced communication and computing technologies, the SG enhances the efficiency, controllability, and reliability of both data and electricity transmission [4,5]. According to statistics from Adarsh Krishnan, the global count of smart meters in SG had reached 1.06 billion by the end of 2023. Projections indicate that this number will surpass 1.75 billion by 2030, exhibiting a compound annual growth rate (CAGR) of 6% [6]. A typical application scenario diagram of SG is shown in Figure 1.

Although SG offers numerous advantages, it still faces significant threats in terms of network security [7]. In December 2015, Ukraine experienced a large-scale power outage lasting several hours due to a cyber attack on its power grid system [8]. For SG, availability extends beyond accessing and using information to ensure a sufficient power supply, which is the top priority of its security attributes. Among the threats to availability, denial of service (DoS) attacks are undoubtedly the most prominent security threat [9]. In recent years, distributed denial of service (DDoS) attacks have become increasingly prevalent. These attacks have evolved into one of the most potent and direct tools in an attacker’s arsenal [10]. According to the analysis of DDoS trends from 2019 to 2023 by Olufunsho I. Falowo et al., DDoS attacks have not only escalated significantly in frequency and impact over the past five years but also the methods employed have become increasingly sophisticated, and the range of targets has continued to expand [11]. Additionally, the 2023 global DDoS landscape report by NSFOCUS highlighted that there were 52 attacks at the terabyte level in 2023, marking a 25% increase from 2022 [12].

The network nodes in SG typically possess computing power but often lack robust security mechanisms, similar to other IoT devices. This vulnerability makes SG an easy target and launch point for attacks. Traditional DDoS attacks usually target specific servers, exhausting their resources and maliciously occupying link bandwidth [13]. They continue to represent a significant portion of DDoS attacks. These often target specific systems in a many-to-one fashion, including well-known techniques like SYN flooding and UDP flooding. Moreover, newer attack strategies have emerged, including slowloris attacks and reflection amplification techniques. In recent years, link flood attacks (LFA) targeting backbone transmission links have emerged, making SG networks more vulnerable to paralysis [14]. LFA, such as Coremelt and Crossfire, typically uses legitimate client addresses to send traffic, attacking non-target nodes to occupy key links [15,16,17]. Specifically, this can result in network outages, delays in power transmission, and the inability of the control center to monitor network status [18].

In defending against DDoS attacks, four modules are essential: prevention, detection, tracking, and reaction/mitigation [19,20]. To effectively address LFA in SG, the ability to track DDoS attacks becomes particularly important. Effective tracking is crucial for accurately identifying the attack’s source and providing targeted mitigation strategies for devices along the attack path. This process includes timely traffic rerouting, diversion, mitigation, and subsequent adjustment strategies. Traditional DDoS tracking methods struggle to simultaneously trace the attack path, alleviate communication pressure, and enhance communication service capabilities in SG. However, with the ongoing development of sixth generation (6G) mobile communication technology, it has become feasible to utilize unmanned aerial vehicles (UAVs) in the Sky-Ground Integrated Network (SAGIN) to track attacks while alleviating communication congestion in SG.

UAVs boast a broader range of applications in both commercial and military sectors due to their lower costs and enhanced functionality as a type of node that can be flexibly and quickly deployed [21,22]. Additionally, UAVs have proven to be irreplaceable and highly effective in various fields such as transportation, agriculture, electricity, emergency rescue, and gas source location. UAV network can provide temporary network deployment during emergency rescue missions on the ground, especially when terrestrial networks fail, allowing a significant amount of traffic to be routed through them. This effectiveness is largely due to their ability to leverage high-altitude advantages and flexible mobility at lower altitudes [23,24,25]. Given their current widespread use, drones also maintain a competitive edge. The diverse services facilitated by UAVs are poised to be a significant highlight in the 6G landscape. Moreover, UAVs typically do not operate in isolation; they often function similarly to low Earth orbit satellites by connecting with each other to form extensive UAV networks. These communication platforms provide various services, including granting access to ground communication terminals through drone networks and offering network services to aircraft or mobile terminals in the air. Through these connections, UAVs complete the forwarding and routing of data services [26].

Therefore, we introduce a novel DDoS tracking scheme tailored for SG by UAVs. Initially, our approach features a threshold iterative update method that dynamically adapts the threshold for each subsequent search round based on the results from previous rounds. This process is synchronized with the adaptive beam width, enabling dual iterations and updates that significantly enhance the accuracy of attack path reconstruction. Additionally, we devise an adaptive beam width method within the beam search framework. This method dynamically assesses the number of abnormal nodes among the candidate nodes, using a correlation coefficient threshold to facilitate adjustments in the beam width. This process helps in generating more accurate attack paths and enhances the automation of the solution. Lastly, we introduce a path inspection and merging method. Throughout the search process, this method dynamically combines overlapping reconstructed paths and excludes previously searched nodes from the candidate nodes. This approach prevents infinite loops and redundant searches, thereby improving the efficiency of path reconstruction and conserving storage space. The scheme leverages the highly compatible characteristics of UAVmobility and beam tracking to simultaneously track multiple DDoS attack paths. While tracking these attacks, the UAVs also establish temporary communication links with the ground nodes of SG, thereby alleviating congestion in the already overloaded SG.

The remaining paper is organized as follows: Section 2 summarizes related work. Section 3 presents the details of our proposed scheme. Section 4 provides the simulation results. Section 5 concludes the paper.

2. Related Work

Some researchers have studied DDoS attack defense in SG. Shan Ali et al. proposed a method based on learning multilevel auto-encoders to address the problem of DDoS detection in SG, achieving a high accuracy of 97% on the test data set [27]. Zohaib Ahmed et al. designed a distributed method by combining software-defined networking (SDN) and blockchain technology to collaboratively detect and prevent DDoS attacks on the control plane [28].

Despite this, there are almost no research results on path tracing of DDoS attacks in SG. If we expand the scope to the entire cyberspace, techniques such as packet marking, hash logging, and ICMP-assisted tracing continue to dominate the tracking field. Among these, packet marking technology is particularly noteworthy. In this approach, defenders add routing and forwarding information to the unused fields of the data packet header to facilitate tracking [29,30]. However, this technology requires that many network devices possess the capability to encode and decode data packets. Moreover, processing the massive volume of data packets during DDoS attacks is challenging and often consumes significant resources. The method based on ICMP tracking completes route backtracking by constructing auxiliary information [31]. However, this approach uses the ICMP protocol, and during ping flooding, it becomes necessary to distinguish between attack packets and tracking packets, which can lead to potential forgery issues. If attackers successfully mislead the process, substantial resources could be lost due to erroneous tracking. Methods based on logging or hash tracing typically require very few packets to complete the trace [32]. However, these methods face challenges related to data storage and updating, and hash calculations can cause the loss of significant traffic statistical information. In recent years, notable advancements have been made in this area. D. Barak-Pelleg et al. introduced two algorithms for reproducing DDoS attack graphs using probabilistic packet marking. These algorithms not only achieve excellent tracing results but also provide specific experimental outcomes [33]. Additionally, N. Sundareswaran et al. accomplished commendable results in traffic filtering through an innovative and enhanced packet marking technique applied in a blockchain network [34].

Regarding Link Flooding Attacks (LFA), which are the focus of this article, some research teams have also achieved significant results, providing valuable insights for subsequent studies. Based on traffic analysis, Mostafa Rezazad et al. detected LFA using support vector machines (SVM) and random forests (RF) [35]. Juan Wang et al. designed a defense system called LFADefender, which detects, mitigates, and blocks LFA based on software-defined networking (SDN) with low overhead [36]. Takayuki Hirayama and colleagues used the phenomenon of increased traceroute packets before an attack to monitor conditions in various regions and preemptively defend against LFA [37]. Dimitrios Gkounis also utilized SDN to design an online traffic engineering mechanism based on policies to achieve mitigation and detection of Crossfire attacks within LFA [38].

The beam search algorithm was first introduced in 1977 [39]. Its subsequent extensive use has underscored the critical role of beam width in determining the effectiveness of the search process. Various studies have explored search depth and width, particularly in domains such as Neural Machine Translation (NMT), Natural Language Processing (NLP), and millimeter-wave communications [40,41,42]. While these studies have achieved positive results in their respective fields, to the best of our knowledge, no research has yet established a connection between them and DDoS defense.

We recognize that the beam search algorithm is particularly well-suited for tracking DDoS attack paths with the assistance of UAVs. They can naturally move dynamically in three dimensions along with the tracking beam, efficiently acquiring attack paths by collecting attack characteristics in real time and performing lightweight computations. At the same time, the introduction of UAVs can help establish temporary communication links for the originally congested ground network, alleviate communication pressure, and improve the service quality of legitimate traffic. If we assume that there are N nodes in the network, with a beam width of B, and the longest topological length in the network is L, then the time complexity of the beam search can be expressed as $O\left(NBL\right)$ [43]. The complexity is lower than the $O\left(N^{2}L\right)$ of the Viterbi algorithm and is more efficient compared to the greedy search’s $O\left(NL\right)$ [43]. Simultaneously tracking multiple attack paths in a single tracing process proves to be beneficial in significantly enhancing the tracing efficiency. However, merely considering these factors does not fully address the multifaceted requirements of DDoS tracking. To enhance the tracking coverage rate and reduce the false tracking rate, it is imperative to dynamically adjust the beam width during the tracking process. Consequently, we introduce a DDoS tracking scheme utilizing adaptive beam search with UAVs in SG. The subsequent section will provide a detailed exposition of this scheme.

3. The Proposed Tracking Scheme with Adaptive Beam Width

3.1. Problem Statement and System Model

In this subsection, we first clarify the problem that this paper aims to solve. Figure 2 depicts a scenario in which SG, under a DDoS attack, is mitigated and tracked using UAVs. In this scenario, a hacker launches an attack on a target victim by controlling a botnet within the terrestrial network. This malicious traffic is then forwarded and propagated through the nodes in the SG. Such an attack can lead to various consequences. One possible outcome is that the malicious traffic is completely forwarded to the victim (potentially a specific target node, such as the control center in the SG), rendering them unable to control the power transmission status in the SG. This represents a traditional DDoS attack model. Another potential consequence is that the attacker targets certain core network links with insufficient bandwidth, causing these links to lose communication capabilities due to excessive malicious data packets occupying the bandwidth. This is the LFA mentioned earlier. Therefore, it is necessary to utilize drones to temporarily increase network capacity while tracking the attack path.

As a defense mechanism, the primary device we can control is the UAV node. The core challenge addressed in this paper is how to effectively use UAVs to track DDoS attacks. Existing solutions usually focus on tracking along a single path, which is insufficient for dealing with distributed attacks involving multiple paths. To address this limitation, we propose an adaptive beam search tracking scheme that demonstrates high efficiency and accuracy in tracking DDoS attack paths. Following this introduction, we briefly outline our proposed scheme and its operational workflow. The process begins with the extraction of traffic features, leading to the initial establishment of thresholds and subsequent iterative updates. In response to these updated thresholds, the beam width is dynamically adjusted, facilitating the continuous reconstruction of the attack path. Using this tracking path, we evaluate and adjust the candidate node set in real time, ultimately achieving accurate identification of the attack source and thorough tracking of the attack trajectory. The workflow of the process is shown in Figure 3.

According to the focus of our research, the primary DDoS attack method we address is the LFA, along with similar network-layer DDoS attack strategies such as SYN, UDP, and ICMP attacks. Therefore, this article does not cover other DDoS attack methods like the application layer. Our scheme fully exploits the flexibility of UAVs in communication systems. Compared with fixed network nodes, UAVs are naturally more suitable for the beam search approach with adaptive beam width because they can update their coverage area in sync with the beam search and continuously move closer to the attack source. In addition, UAVs have a unique aerial perspective and can obtain comprehensive traffic feature information required to track DDoS attacks through temporary network connections. Moreover, their rapid deployment and configuration can quickly form a three-dimensional defense line after tracking the DDoS path, effectively resisting attacks.

3.2. Threshold Setup and Iterative Update

Our initial step involves the regular extraction of network node characteristics that are closely associated with DDoS attacks. These characteristics include the distribution of different protocols within packets over a defined statistical period, the rate of TCP (Transmission Control Protocol) flags within TCP packets, and the distribution of packet lengths. Additionally, we assess the entropy levels of source addresses, destination addresses, source ports, and destination ports to measure the confusion at each of these dimensions. In this paper, the calculation of these entropies is improved and quantified based on the method of Wei Guo et al. [44,45,46,47]. In addition, we calculate the number of packets, packet rate, and total number of packet bytes. After that, we denote the statistical feature set of network node $\alpha$ in a cycle as ${\mathrm{\Omega }}_{\alpha }$ [44,46].

$${\mathrm{\Omega }}_{\alpha }=\{I_1,I_2,...,I_{10}\},$$

(1)

where, $I_1$ to $I_{10}$ correspond to the types of statistical characteristics. Next, we will introduce them in detail.

• Botnets typically launch attacks through automated means, aiming to congest the network with maximum efficiency. To achieve this, they often opt to send data packets with the largest possible length. Under normal conditions, the length of communication data packets from legitimate users is usually unevenly distributed. Therefore, by statistically analyzing the distribution of packet lengths, the abnormality of traffic forwarded by SG nodes can be effectively evaluated. While methods like replay attacks often utilize legitimate users’ data packets to instigate an attack, evaluating data packet lengths remains a valuable tool in effectively assessing potential DDoS threats. For replay attacks specifically, we employ several analytical dimensions introduced later to perform comprehensive evaluations. These assessments are based on the impacts of resource or bandwidth consumption attributed to replay attacks, thereby ensuring our solution’s comprehensiveness and robustness. Therefore, we refer to the definition of entropy in information theory to represent this level of disorder [48]:

  $$H=-\sum _{i=1}^M{\displaystyle \frac{S_i}{C}}{log}_2{\displaystyle \frac{S_i}{C}},$$

  (2)

  where $S_i$ represents the number of data packets which fall into a certain category, M is the total number of categories and C is the total number of data packets forwarded by a certain SG node within this statistical period.

  $$C=\sum _{i=1}^M{S}_i.$$

  (3)
• During the communication process, a significant number of TCP protocol messages are often generated. Each TCP flag serves a distinct function. Under normal circumstances, the connections established through the three-way handshake exhibit a relatively balanced ratio of SYN (Synchronize Sequence Numbers), ACK (Acknowledgment), PSH + ACK, FIN (Finish), RST (Reset), and RST + ACK flags. However, when attackers aim to launch a DDoS attack by exhausting network resources, they often disrupt this balance in the distribution of TCP flags.
• In addition to TCP packets, communication involves many other types of protocols. Under normal circumstances, these protocols tend to have a relatively stable share of the overall traffic. However, if a UDP attack is launched—whether it be a simple UDP flood or a reflection amplification attack—the proportion of UDP traffic will noticeably increase. Similarly, in the event of a Ping Flood or Death of Ping attack, the proportion of ICMP traffic will surge. Therefore, monitoring the distribution of various protocol types is crucial for assessing the status of network nodes.
• Each node is also required to count the source and destination addresses. Under normal circumstances, the number of source and destination addresses is relatively stable and does not fluctuate significantly. However, during an attack, a large influx of zombie nodes can introduce many fake, random, or unfamiliar IP addresses in the source addresses, while destination addresses tend to be concentrated. Therefore, the indicator reflecting the situation with source addresses, can be calculated using Equation (2).
• As mentioned earlier, the entropy of the destination addresses decreases when an attack occurs. Recently, DDoS attacks known as “carpet bombing” target IP addresses within a specific network segment and attack in batches [49,50,51]. Although this method makes the attack characteristics less obvious, it still impacts the overall entropy value. The indicator can also be calculated using Equation (2).
• The ratio of data packets sent by the server to those sent by the client can also reflect the smooth operation of the network. An obvious imbalance in this ratio generally indicates the presence of an attack or an emergency situation.
• Similar to the entries for addresses, port numbers often exhibit similar statistical characteristics. Some zombie hosts will frequently switch source ports to exhaust victim resources or establish incorrect connections.
• When an attacker launches DDoS attacks, a large number of attack packets are sent to a specific port. Additionally, before the attack is launched, the attacker may also perform port scanning on the network, leaving some clues on this feature.
• The total length of packets can be used to roughly estimate the total traffic. Although network traffic is inherently fluctuating, significant changes in this value can indicate unusual activity. To mitigate issues related to large variations, we use a logarithmic calculation method similar to that employed in the previous solutions of Wei Guo et al. [46].
• It is important to note that the total number of data packets is also a crucial network characteristic during this statistical period. Therefore, it is necessary to introduce an additional indicator based on the previous work.

At the outset of the initial search round, a traffic correlation coefficient threshold, denoted as T, is established based on available attack data or historical experience to distinguish between nodes affected by attacks, referred to as ‘abnormal nodes’, and normal nodes. Subsequently, candidate nodes are compared using the beam search method. In the case of DDoS attacks, given their distributed nature, the attack traffic typically exhibits a funnel-like pattern [52]. This means that the malicious traffic becomes more dispersed as one moves closer to the attack source, whereas the malicious traffic is concentrated closer to the attacker’s end. Consequently, the traffic correlation coefficient between the current node and its upstream node is calculated. The following observations can be deduced under the characteristics of DDoS attacks: the correlation coefficient between abnormal and abnormal nodes is higher than between normal and normal nodes, and the latter is significantly higher than between abnormal and normal nodes. It is because, during an attack, the traffic characteristics of abnormal nodes become accentuated as attack-specific traits and exhibit high consistency. On the other hand, normal nodes tend to exhibit fluctuations when handling various business traffic, resulting in slightly more remarkable dissimilarities compared to the former. As a result, the demarcation line between normal and abnormal nodes is more distinct, leading to an even lower correlation coefficient. The calculation process of the correlation coefficient between $\alpha$ and $\beta$ is as follows [53]:

$$R_{\alpha ,\beta }={\displaystyle \frac{{\sum }_{i=1}^{10}{\mathrm{\Omega }}_{\alpha ,i}\times {\mathrm{\Omega }}_{\beta ,i}}{\sqrt{{\sum }_{i=1}^{10}{\mathrm{\Omega }}_{\alpha ,i}^2}\times \sqrt{{\sum }_{i=1}^{10}{\mathrm{\Omega }}_{\beta ,i}^2}}},$$

(4)

where, ${\mathrm{\Omega }}_{\alpha ,i}$ is the i-th feature of node $\alpha$ and ${\mathrm{\Omega }}_{\beta ,i}$ is the i-th feature of node $\beta$.

Next, the threshold is employed to categorize the candidate nodes. Network nodes that exhibit a correlation coefficient exceeding T, when compared to the traffic characteristics at the current search initiation point, are organized as abnormal nodes. In contrast, those with a correlation coefficient below T are classified as normal nodes. The adjustment of the beam width B is determined based on the number of abnormal nodes. Subsequently, the new threshold for the next search round is established by selecting the lowest correlation coefficient value $R_{min}$ among abnormal nodes and the highest correlation coefficient value $R_{max}$ among normal nodes. The threshold T is updated by calculating the mean of $R_{min}$ and $R_{max}$, drawing on the concept of clustering. The approach can be conceptualized as plotting different correlation coefficients on a scatter plot. Then, the two points that are closest to the region of the opposing category are identified as boundary values. Thus, we establish the threshold by calculating the average of these two values, which serves as the clearest line of demarcation.

The extraction of these features proves highly effective for identifying UDP and ICMP attack traffic infiltrating the SG. They allow for the multidimensional calculation and evaluation of the distinctions between normal operational traffic and the disruptive patterns characteristic of UDP and ICMP flooding. This capability forms a fundamental safeguard, enabling the effective tracking of various DDoS attacks within this framework. Furthermore, leveraging the mobility features of drones enhances this strategy by offering near-source protection to secure SG in our jurisdiction. Additionally, while our primary focus is on designing solutions for LFA, we remain vigilant about potential connection-related attack methods, such as those involving TCP. These methods, which can manifest in various forms at the application layer, pose substantial risks. Consequently, we are equipped to track attack paths by statistically analyzing TCP protocol data packets. This analysis begins with flag bits and incorporates other pertinent information, such as ports and addresses, allowing us to identify and mitigate malicious connections and illegal requests effectively. Among TCP attacks, SYN attacks stand out as particularly perilous, often regarded by attackers as one of the simplest yet most effective methods. The comprehensive evaluation of characteristics, as mentioned earlier, allows for the cross-identification and assessment of SYN attack patterns. For instance, if there is an abnormal many-to-one relationship in the address and port information within a certain time frame or a sudden increase in the proportion of SYN flags, it can effectively pinpoint SYN attacks. It should be noted that our tracking scheme is also designed to address slow connection attacks within the context of DDoS incidents. When such attacks are detected, key indicators include the scarcity of TCP packets bearing the FIN flag, the ongoing transmission of unusually short PSH+ACK or ACK packets, and ACK or PSH+ACK packets sent from the same source IP at extended intervals. These signs suggest the presence of an attacker attempting to maintain connections indefinitely to exhaust target resources. This careful consideration ensures that our system is well-equipped to identify and respond to such attacks efficiently.

3.3. Adaptive Beam Search Width

The objective of this subsection is to dynamically adjust the beam width B, as mentioned in the previous subsection. Hence, we introduce our beam adaptation method using Algorithm 1 in this subsection. Please note that subsections A and C in this section have been omitted from the algorithm for clarity and focus. $N_{tracer}$ represents the current node executing beam searching, while $N_{candidate}$ denotes the set of all candidate nodes included in the current search round. The term $Path$ refers to the result of the last round, while $Pat{h}^{\prime }$ is the result updated in the current round. $N_{searched}$ is defined as the subset of nodes within $N_{candidate}$ that have already been searched.

Algorithm 1 The Algorithm with Adaptive Beam Width

Require: $N_{tracer}$, $N_{candidate}$, $B=0$, T, $Path$, $N_{searched}$ Ensure: $Pat{h}^{\prime }$   1: for each n∈$N_{candidate}$ do   2:    Calculate $R_{n,N_{tracer}}$ with (4)   3:    Compare $R_{n,N_{tracer}}$ with T   4:    if $R_{n,N_{tracer}}$>T then   5:      B++   6:    end if   7: end for   8: Derive $top-B$ nodes from $N_{candidate}$   9: for each n∈$top-B$ nodes do  10:    if n∉$Path$ and n∉$N_{searched}$ then  11:      add n to $Path$  12:    end if  13: end for  14: Set $Path$ as $Pat{h}^{\prime }$

The beam width B dictates the number of nodes selected from the candidate nodes during each search round. A larger beam width improves search effectiveness but demands more memory and computing power. Conversely, a more minor beam width results in reduced search accuracy but conserves memory and computing resources [54].

At the onset of the search process, each round of alternative node selection is carried out by the threshold setting and the threshold value T established by the iterative update method. Based on the classification result derived from threshold T, the beam search width B is adjusted to match the number of nodes above the threshold, effectively updating the beam width. This means that B is always equal to the number of nodes classified as abnormal. The variation of B is reflected in the results of node classification based on the threshold, which is continuously updated. Therefore, the method ensures the continual adjustment of the beam width during each search round, enhancing the attack path reconstruction capabilities.

3.4. Real-Time Check and Adjustments

During path reconstruction, it is imperative to conduct real-time checks. Nodes that are part of the reconstructed path or have been previously searched for are eliminated from the candidate nodes if they reappear. It is to prevent redundant searches for the same nodes, optimize the storage of reconstructed paths, and mitigate the risk of the algorithm entering an infinite loop or conducting invalid searches. It enhances reconstruction efficiency and conserves storage space.

In the event of an issue arising during the threshold T setup process, both the beam width B and threshold T will temporarily remain unchanged, and they will be retained from the last search round. Since inappropriate threshold settings can lead to errors in subsequent search rounds, rectification, and rollback should be promptly implemented to ensure the scheme’s practical viability and avert the accumulation of erroneous iterations.

In cases of LFA or other traditional UDP or ICMP attacks on congested links, drones will establish new transmission links with the tracked network edge nodes to alleviate the pressure on the original terrestrial links. Concurrently, firewalls or control policies will be implemented at relevant nodes to intercept malicious traffic. For attacks aimed at resource depletion, such as SYN attacks, drones will similarly establish transmission links. They dynamically adjust network resources and deploy policies specifically designed to block malicious connections, all while safeguarding legitimate users’ access and maintaining connectivity.

4. Results and Performance Evaluation

4.1. Experimental Setup

To assess the efficiency of our scheme, we established a simulation experiment platform. The simulation test was conducted under the following conditions: utilizing a 16-core 12th Gen Intel(R) Core(TM) i7-1260P 2.10 GHz computer with 16 GB of memory. The scenario was developed using Node.js and tested on Visual Studio Code on a Windows 11 platform. Furthermore, we employed IXIA BreakingPoint to generate both DDoS attack traffic and normal network traffic. Additionally, we conducted NS-3 network simulation experiments on a virtual machine running Ubuntu 22.04. The virtual machine is equipped with 8 GB of RAM, includes four dual-core processors, and has 80 GB of hard disk storage.

Initially, we must define the topology, attack paths, victim nodes, and the initial threshold T used for each test. Following this, we employ Ixia BreakingPoint to generate both normal and attack traffic, simulating nodes in the network forwarding either normal or attack traffic. These nodes are likely present among the candidate nodes. Subsequently, the actual core code testing commences. The beam search initiates from the victim nodes, adhering to the workflow detailed in Section 3. It traverses candidate nodes, compares with the threshold T to determine the beam size B for the round, selects abnormal nodes, and ultimately decides whether to update the threshold T based on the traffic characteristics of these nodes. The process repeats for multiple rounds, continuously checking for duplicate nodes and overlapping paths. The results of each testing round are then output.

To enhance the credibility of the results, our testing used network topologies that had already undergone DDoS tracking testing. Although these topologies are not specifically designed for SG scenarios, they originate from various network environments and hold significant reference value. Most importantly, by simulating these established topologies, we can conduct a fair comparison with existing schemes. This comparison allows us to evaluate the performance improvements of our proposed scheme in terms of tracking accuracy. During the simulation process, the same attack path within the same topology was tested 400 times to ensure reliability. These 400 tests include 100 instances each of UDP attacks, SYN attacks, ACK attacks, and ICMP attacks. Additionally, multiple attack paths with varying characteristics were tested for each topology. By modifying and expanding these two types of topologies, other topologies can also be derived to a certain extent. Thus, we strive to ensure the universality and robustness of our simulation testing.

4.2. Performance Analysis of Tracking Accuracy

For the purpose of testing and comparison, we initially utilized topology diagrams that have previously been tested for DDoS tracking, specifically the tree topology and ring topology [45,46,55]. Both topologies are illustrated in Figure 4 and Figure 5. Additionally, to facilitate comparison with the results from other research teams, we abstracted the topology provided by H-C. Lin et al. for DDoS tracking into the connection relationships shown in parts (a) and (b) of Figure 6 [56]. Consequently, we have a total of four topologies for testing in this section.

In the tree topology, we randomly selected 1–4 cluster subtrees as the attack sources and another leaf node as the victim. In the ring topology, we randomly selected 3–5 entry points as the attack sources and one boundary node as the victim, involving attacks of the same type. In the network topology constructed by H-C. Lin et al., we used the attack paths selected by the original authors. There are 4 attack paths in Figure 6a, involving a total of 7 nodes contaminated by malicious traffic. Additionally, there are 5 attack paths in Figure 6b, with 7 contaminated nodes as well.

We aim to include more topologies that represent common network structures in our testing methodology. This deliberate inclusion is intended to enhance the practicality of the test results and facilitate more robust comparisons with existing works to validate the effectiveness of our tracking approach.

While conducting seven sets of simulation tests for these topologies, the attack path coverage rate (similar to tracing accuracy) and false tracking rate were employed as performance evaluation metrics. The former metric denotes the percentage of nodes contaminated by attack traffic that are successfully tracked, while the latter indicates the percentage of normal nodes that are erroneously tracked. All results are shown in Figure 7.

In the test of the tree topology, as shown in Figure 7a, our scheme achieves an average tracking accuracy of 100% and an average false tracking rate of 1.72%. This accuracy rate represents a slight improvement in path coverage compared to the previous TPT scheme [45]. It is important to note that the TPT scheme already achieved a 99.5% accuracy rate in the same topology. Thus, a more accurate interpretation is that the proposed scheme maintains the advantage of an extremely high accuracy rate. Simultaneously, our false tracking rate has decreased. When compared with the prior TPT scheme [45], the new scheme substantially enhances functionality, enabling the simultaneous tracking of multiple attack paths while preserving a high level of accuracy. The specific test results are presented in

Table 1. Coverage rate and false tracking rate in tree topology.

Attack Route	Coverage Rate	False Tracking Rate
1 Subtree	100%	1.73%
2 Subtrees	100%	1.82%
3 Subtrees	100%	1.76%
4 Subtrees	100%	1.55%

.

In the test of the ring topology, as shown in Figure 7b, our scheme achieves an average tracking accuracy of 99.81% and an average false tracking rate of 2.24%. Compared to one of our previous tracking solutions, which had an accuracy rate of just 94.2% [46], we have observed a notable enhancement in tracking accuracy. Similarly, we have expanded our tracking capabilities to address distributed attack sources simultaneously. Although there is still a minimal number of normal nodes being tracked erroneously, from a practical standpoint in DDoS defense, such a low percentage does not significantly impact the inspection and mitigation efforts of network nodes following an attack. Conversely, our scheme substantially enhances the coverage ratio of attack paths, thereby significantly improving the effectiveness of defense measures. The specific test results are presented in

Table 2. Coverage rate and false tracking rate in ring topology.

Attack Route	Coverage Rate	False Tracking Rate
3 Entrances	UDP 100.00%	1.44%
	SYN 100.00%	1.78%
	ACK 99.89%	3.11%
	ICMP 100.00%	2.17%
4 Entrances	UDP 100.00%	2.22%
	SYN 100.00%	3.17%
	ACK 100.00%	2.94%
	ICMP 100.00%	1.22%
5 Entrances	UDP 99.59%	1.18%
	SYN 99.59%	1.77%
	ACK 99.14%	4.59%
	ICMP 99.45%	1.32%

.

Furthermore, to demonstrate the superior performance of our newly proposed scheme, we conducted comparisons not only with our previous works but also with the experimental results of others. In the two topologies proposed by H-C. Lin et al. [56], our scheme achieved tracking accuracies of 98.50% and 97.25%, respectively, as compared to the accuracy rates of 98.33% and 94.64% reported in their work, as shown in Figure 7c,d. This comparison further proves the effectiveness of our solution.

4.3. Performance Analysis of Tracking Time

To comprehensively evaluate the proposed beam search-based tracking scheme, we also simulated and tested the relationship between tracking time and hop number. Existing research often shows that tracking time increases with the extension of the attack path. By simulating this relationship, we can more effectively evaluate the speed of the tracking scheme.

We distributed the simulation code so that it could be deployed on multiple Ubuntu virtual machines on a large scale. The host machine, running Windows 11, communicates with these virtual machines via the Secure Shell (SSH) command to simulate a scenario where DDoS attacks the ground network, and the drone accesses the network to assist in tracking the attack. During tracking, the drone establishes a temporary communication channel between ground nodes based on the coverage area size, providing relay communication. This allows the drone to collect and analyze traffic characteristics in the original ground link to complete the tracking.

Based on this, the simulation aims to test the change in tracking time as the path length increases from 1 hop to 15 hops. We assume the drone can cover a range equivalent to a 3-hop path, with a communication delay between the drone and ground node of 50ms. The simulation results are shown in Figure 8. The tracking time of this scheme increases step-by-step with the number of hops. For path lengths from 1 to 3 hops, there is no additional tracking time increase due to drone movement or switching, as the traffic characteristics required for tracking can be directly collected by the drone. The same applies to path lengths from 4 to 6 hops and from 7 to 8 hops. The step increase in path length is because the drone needs to select the next possible attack path area to access and establish a new communication link based on the tracking results at 3 hops. This period includes the three RTTs required for the three-way handshake, as well as other time consumption caused by link communication fluctuations, drone movement, and other factors.

Whether compared with the growth rate of 2 s per hop in our original work, LDBT [47], or with the linear growth law of TracePack as discussed in Zakwan AlArnaout et al.’s work [57], this solution achieves a significantly lower tracking time, thus ensuring faster tracking speeds. It should be noted that in the work of Zakwan AlArnaout et al., only a partial data graph of the hop numbers was provided, without specific values. Therefore, the green dotted line in our figure is derived from extracting data points from their figure and fitting these points according to the close relationship mentioned by their author team, thereby approximating the growth trend.

4.4. Performance Analysis of Communication Improvement

To fully evaluate our approach from both security and communication perspectives, we simulated the introduction of drones to test improvements in network communication. As illustrated in Figure 4, drones are represented by blue nodes. During DDoS attacks that congest the main links, drone nodes temporarily connect with other ground nodes to replace or share the traffic load of the main links, thereby expanding communication capabilities. It ensures the tracking of DDoS attack paths while maintaining the transmission and forwarding of normal traffic. We used the previously mentioned NS-3 network simulation tool to construct the network topology shown in Figure 4. To simplify the routing environment while retaining nodes 1, 2, 3, and 4, other nodes were abstracted into clusters.

In our simulation setup, we designated the links between nodes 1 and 4, nodes 2 and 3, and nodes 2 and 4 as backbone links with a latency of 20 ms and bandwidth of 100 Mbps. Other links, characterized as branch links, had a latency of 50 ms and bandwidth of 50 Mbps. After randomly selecting nodes to represent servers and clients, we measured standard communication metrics such as total number of packets, packet loss rate, average latency, and throughput, as shown in the ‘Normal running’ column of

Table 3. Comparison of Network Communication Capability Simulation.

Scenario/Indicator	Normal Running	DDoS Attack	UAV Intervention	Improvement and Recovery
Total number of packets	16,718	6516	12,878	97.7% and 77.0%
Packet loss rate	0.0%	0.2%	0.0%	100.0% and 100.0%
Average latency	0.12 s	0.36 s	0.15 s	58.3% and 75.0%
Throughput	3.96 Mbps	1.59 Mbps	3.12 Mbps	96.2% and 78.8%

. We then randomly selected additional nodes to initiate DDoS attacks by sending UDP attack traffic to the servers while maintaining normal traffic. Under these conditions, we observed a significant decrease in normal traffic data and throughput, with increases in latency and packet loss rate. Lastly, we introduced drone nodes into the network, establishing new communication links to expand the network and alleviate the traffic pressure caused by the attacks. The parameters for the drone links were consistent with those of the branch links. The introduction of drone links led to an improvement in all communication metrics compared to during the DDoS attacks.

We defined two metrics, the improvement rate, and the recovery rate, to evaluate the performance enhancements after integrating drone nodes into the network. The improvement rate measures the percentage improvement in network metrics after drone intervention compared to during a DDoS attack, while the recovery rate measures how closely the performance after drone intervention approaches that of normal operations. The data from Table 3 show that drone nodes, by establishing new communication links, substantially mitigated the effects of network congestion. Packet numbers increased by 97.7%, recovering to 77.0% of normal conditions. Packet loss fully recovered, latency improved by 58.3% and returned to 75% of the normal latency, and throughput substantially increased by 96.2%, reaching 78.8% of the normal throughput. These simulation results underscore the dual advantages of integrating drone nodes: they not only accurately trace DDoS attack paths but also significantly enhance network service capabilities. Overall, metrics improved by an average of 88.05%, with recovery reaching more than 82.70% of the normal operational levels.

We assessed the effectiveness of our proposed solution in three key areas: tracking accuracy, the trend of tracking time relative to path length, and improvements in communication quality. To ensure the reliability of our experimental data, we utilized network topologies previously employed by other research teams for a balanced comparison. Our results demonstrate superior performance compared to existing methods. Additionally, we conducted comparative tests in scenarios with and without UAV intervention to gauge the impact on network communication. The findings clearly indicate that our solution can effectively alleviate congestion in network links caused by attack traffic, enhancing the resilience of the targeted SG. Therefore, our comprehensive evaluation across security and communication dimensions confirms that this approach is robust in mitigating both traditional DDoS and novel LFA attacks in SG environments.

5. Conclusions

Effectively leveraging drones to track and mitigate DDoS attacks in SG is crucial. In response to potential LFA that could cripple key SG links, we propose a tracking scheme that utilizes a beam search algorithm with adaptive beam width. This approach enables the simultaneous reconstruction of multiple attack paths and the precise identification of bots. The threshold iterative update method dynamically adjusts the threshold in each search round based on the results from previous rounds, thereby enhancing the accuracy of attack path reconstruction. The adaptive beam width method is implemented within the beam search framework, dynamically assessing the number of abnormal nodes among the candidate nodes. This assessment contributes to improved automation of the scheme by facilitating the generation of attack paths. The path inspection and merging method combines overlapping reconstructed paths dynamically and excludes previously searched nodes from the set of candidate nodes. It prevents infinite loops and invalid searches, leading to enhanced reconstruction efficiency and conserving storage space. In our simulations, we utilized the Keysight Ixia platform to generate traffic data, simulating various scenarios, including LFA and other traditional DDoS attacks across different network topologies. The results of these simulations demonstrate the effectiveness of our scheme, which achieves an impressive success rate of 98.89%, coupled with a remarkably low false tracking rate of 2.05%. At the same time, the tracking time required by this scheme increases only in a step-like manner with the length of the attack path, which is also optimized compared to existing solutions. Besides, we conducted simulations on the NS-3 platform to assess communication service capabilities, finding that the inclusion of drone nodes led to a significant enhancement in overall network performance with an average improvement of 88.05% in network service capabilities and an average recovery rate of 82.70% of the conditions typically observed under normal operations. Overall, this scheme significantly bolsters SG’s defense capabilities against DDoS attacks.