One　of　the　most　important　components　of　Software-Defined　Networking　(SDN)　is　the　flow　table.　It　receives　flow　rules　from　the　controller　and　uses　them　to　handle　network　traffic.　However,　a　flow　table　can　only　store　a　few　thousand　flow　rules,　which　makes　it　an　attractive　target　for　table　overflow　attacks.　These　attacks　force　the　controller　to　populate　the　flow　table　with　a　large　number　of　meaningless　flow　rules,　which　prevents　normal　flows　from　finding　matching　rules　and　therefore　having　to　be　reported　to　the　controller.　It　results　in　a　significant　latency　overhead,　degrading　the　performance　of　the　whole　network.　In　this　paper,　we　present　a　key　characteristic　of　table　overflow　attacks:　even　though　attackers　can　change　some　critical　attack　parameters　(e.g.,　attack　speed)　to　avoid　detection,　proactive　flows　from　the　attacked　port　always　occupy　a　stable　proportion　in　the　flow　table　regardless　of　the　attack　form.　In　light　of　this　finding,　we　propose　TableGuard,　a　novel　security　mechanism　that　uses　the　proactive　flow　rule　number　as　the　detection　metric　and　applies　a　statistical　approach　to　help　filter　malicious　flows.　The　experiments　demonstrate　that　TableGuard　can　mitigate　both　high-rate　and　low-rate　table　overflow　attacks.　Compared　with　existing　defenses,　TableGuard　has　the　best　mitigation　performance　and　the　minimal　overhead　on　normal　flows.　©　2022　IEEE.