Provided are an open flow controller having an SVM-SOM combination-based DDoS detection system implemented therein, and a method thereof. The system is configured to collect flow information according to a traffic from an open flow switch, extract a plurality of attributes preset for each collected flow, classify a traffic type of the collected flow, classify an attack flow on the basis of at least one first attribute among attributes extracted through an SVM corresponding to a classified traffic type among multiple SVMs, determine whether a suspicious pattern is present through an SOM on the basis of the number of second attributes greater than the number of first attributes among the extracted attributes in a case of a flow which is not classified as an attack flow through the SVM, and classify an attack type for a corresponding flow when the attack flow is classified as an attack flow through the SVM or as a suspicious pattern through the SOM.
展开▼