Abstract
The rapid expansion of Software-Defined Internet of Things (SD-IoT) networks has amplified both scalability and vulnerability, exposing them to increasingly sophisticated multi-vector attacks such as flooding-based Distributed Denial-of-Service (DDoS), Address Resolution Protocol (ARP) spoofing, DNS spoofing, and MAC flooding. These threats exploit static control planes and centralized architectures, overwhelming controllers and bypassing threshold-based defenses through adaptive, sequential, and hybrid behaviors. To address these challenges, we propose SFARP, a multi-layered real-time security framework tailored for SD-IoT environments. SFARP integrates three coordinated modules: (1) the Dynamic Flow Analysis Module (DFAM), which leverages P4-programmed switches to extract fine-grained traffic and ARP-level features; (2) the Adaptive Dynamic Flow Detection System (ADFDS), which employs an ensemble of machine learning classifiers to detect anomalies across hybrid and multi-vector attack scenarios; and (3) the Distributed Adaptive Mitigation System (DAMS), which deploys adaptive countermeasures across a multi-controller SDN topology. In addition, we extend the evaluation to multi-vector attacks (ARP + MAC + DDoS), DNS spoofing, and ultra-dense IoT deployments, and introduce a comprehensive hardware feasibility study and ablation analysis. Extensive testing across five real-world IoT datasets (CICIoMT2024, CICIoT2023, IoTID20, Edge-IIoTset, and TON_IoT) and twelve complex attack scenarios-including hybrid, adaptive, mimicry, and sequential attacks-demonstrates SFARP's superior performance. On the CICIoMT2024 dataset, ADFDS achieved 98.3% accuracy, 97.6% precision, 98.9% recall, and a False Alarm Rate (FAR) of just 2.3%. On CICIoT2023, it maintained 96.0% accuracy and a 2.9% FAR, outperforming state-of-the-art models such as XGBoost and LightGBM across all key metrics. SFARP also demonstrated system-level advantages by reducing controller CPU usage by over 70%, minimizing packet loss by 90%, and maintaining end-to-end detection latency under 50 ms, even under high-volume attacks. Hardware evaluations on NetFPGA and Tofino ASIC confirm carrier-grade scalability, sustaining over 250 k concurrent flows with minimal memory overhead. By integrating programmable data-plane telemetry, adaptive ML-driven detection, and distributed mitigation, SFARP provides a scalable and hardware-feasible solution for real-time defense of SD-IoT infrastructures. It represents a practical step toward securing heterogeneous IoT deployments against evolving hybrid and multi-layer attacks.