A hybrid machine learning approach for detecting DDoS attacks in software-defined networks

Software-Defined Networking (SDN) introduces programmability and centralized control to modern networks, but this flexibility also exposes both the controller and data plane to severe threats such as Distributed Denial of Service (DDoS) attacks. Effective early detection of these attacks requires SDN-aware traffic features that capture the unique behavior of OpenFlow-based environments. This study presents a machine-learning framework for distinguishing benign and malicious traffic using a dataset constructed directly from an SDN testbed employing a Ryu controller and Open vSwitch. Flow and port-level statistics were periodically collected through OpenFlow monitoring messages, enabling the extraction of new SDN-specific features tailored for DDoS detection. A hybrid classification model that integrates the Random Forest (RF) with XGBoost (XGB) Classifier is proposed to enhance detection performance. The hybrid RF-XGB model demonstrates clear superiority over individual classifiers, achieving an accuracy of 99.36% and exhibiting near-perfect discrimination in ROC AUC and confusion matrix evaluations. These results confirm that combining SDN based feature engineering with ensemble learning provides a highly effective and reliable approach for early DDoS detection in programmable networks.