# A hybrid machine learning approach for detecting DDoS attacks in software-defined networks

**Authors:** Iftekhar Ahmed Mahar, Kamran Aziz, Prasun Chakrabarti, Naveed Ahmed, Mohamad Ladan, Yasir Javed

PMC · DOI: 10.1038/s41598-026-35458-w · Scientific Reports · 2026-01-28

## TL;DR

This paper introduces a hybrid machine learning model for detecting DDoS attacks in SDN environments with high accuracy.

## Contribution

A novel hybrid RF-XGB classifier using SDN-specific features for improved DDoS detection.

## Key findings

- The hybrid RF-XGB model achieved 99.36% accuracy in DDoS detection.
- SDN-specific features significantly improved detection performance compared to traditional methods.
- The model showed near-perfect discrimination in ROC AUC and confusion matrix evaluations.

## Abstract

Software-Defined Networking (SDN) introduces programmability and centralized control to modern networks, but this flexibility also exposes both the controller and data plane to severe threats such as Distributed Denial of Service (DDoS) attacks. Effective early detection of these attacks requires SDN-aware traffic features that capture the unique behavior of OpenFlow-based environments. This study presents a machine-learning framework for distinguishing benign and malicious traffic using a dataset constructed directly from an SDN testbed employing a Ryu controller and Open vSwitch. Flow and port-level statistics were periodically collected through OpenFlow monitoring messages, enabling the extraction of new SDN-specific features tailored for DDoS detection. A hybrid classification model that integrates the Random Forest (RF) with XGBoost (XGB) Classifier is proposed to enhance detection performance. The hybrid RF-XGB model demonstrates clear superiority over individual classifiers, achieving an accuracy of 99.36% and exhibiting near-perfect discrimination in ROC AUC and confusion matrix evaluations. These results confirm that combining SDN based feature engineering with ensemble learning provides a highly effective and reliable approach for early DDoS detection in programmable networks.

## Full-text entities

- **Diseases:** flooding (MESH:C565009), DDoS (MESH:D019575)
- **Chemicals:** TCP (MESH:C049563), SDN (-)

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/PMC12909994/full.md

## Figures

10 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12909994/full.md

## References

26 references — full list in the complete paper: https://tomesphere.com/paper/PMC12909994/full.md

---
Source: https://tomesphere.com/paper/PMC12909994