© SEP 2025 | IRE Journals | Volume 9 Issue 3 | ISSN: 2456-8880 IRE 1710969 ICONIC RESEARCH AND ENGINEERING JOURNALS 1840 Improving DDoS Detection in Software-Defined Networks Through a Hybrid Machine Learning Approach FRANCIS ONOJAH 1 , PROF. PREMA KIRUBAKARAN 2, DR. RIDWAN KOLAPO 3 , DR. TEMITOPE OLUFUNMI ATOYEBI 4 , DR. R. RENUGA DEV 5 1, 2, 3, 4 Department of Information Technology, Nile University of Nigeria. 5 Associate Professor, Department of Computer Science and Applications, Faculty of Science and Humanities, SRM Institute of Science and Technology, Chennai Ramapuram. Abstract- (DDoS) Attacks remain a significant concern for network security, utilizing flood-like traffic at the volume, protocol, and application levels to exploit vulnerabilities in today's infrastructure. To lessen these risks, Software-Defined Networking (SDN) offers programmability and centralized control. However, current machine learning (ML)-based detection techniques have a high false positive rate, are not very flexible against zero-day attacks, and are ineffective when handling high-dimensional flow data. To enhance the detection of DDoS attacks in software-defined networks, this paper proposes a hybrid machine-learning approach. Tapping into SDNs broad view of all network flows, the system studies traffic in real time by merging supervised deep learning- in this case, Long Short-Term Memory- with unsupervised anomaly detection called Isolation Forest. The LSTM sorts incoming packets and learns new normal behavior, while the Isolation Forest flags any stray patterns that don’t fit. Keywords: DDoS attacks, network security, Long Short- Term Memory (LSTM), CNN I. INTRODUCTION The magnitude and sophistication of Distributed Denial of Service (DDoS) cyber operations have grown in magnitude along with the significant proliferation of cloud services, Internet of Things (IoT) devices, and real-time applications. Attackers now employ botnets, reflection protocols, and encrypted traffic to overwhelm their targets and create a multitude of issues ranging from disruption of service, economic losses, and reputational impact. The average cost of a DDoS attack is more than $2.5 million, according to a 2023 IBM report, highlighting the necessity of strong detection and mitigation systems [1]. Because of their manual configurations, rigid infrastructure, and decentralized control, traditional network architectures find it difficult to fend off these threats. A paradigm shift was brought about by Software-Defined Networking (SDN), which separated the data plane (switches) from the control plane (centralized controller) to allow for dynamic policy enforcement and programmable traffic management [2]. While the worldwide network visibility of SDN and OpenFlow-based flow monitoring offers inherent advantages for security, its centralized architecture also introduces new attack surfaces. For instance, attackers can saturate control- plane bandwidth, overflow flow tables, or spoof source IPs to disrupt legitimate traffic. Threshold- based techniques were used for early DDoS detection in SDN [3]. These methods, however, are unable to identify new or adaptive attacks, like slow and low- speed HTTP floods or traffic patterns produced by artificial intelligence. The ability of machine learning (ML) to analyze high-dimensional flow data, such as packet counts and flow durations, and spot minute irregularities has made it popular. The application of supervised models, including Random Forest and Support Vector Machines (SVM), demonstrated acceptable accuracy; however, their efficacy is contingent upon the availability of labeled datasets, and they remain susceptible to zero-day attacks. (85– 94%). They can and do pose issues in dynamic environments and against zero-day attacks. Unsupervised methods, require no labeled datasets, like K-means clustering or autoencoders, and develop models to learn normal traffic baseline states for an hour for a single user account. They are uninformed and open to misclassifications and a high false positive rate. To combine the advantages of supervised and unsupervised learning, recent research investigated hybrid machine learning models. For instance, [4] achieved 96% accuracy in IoT intrusion detection by combining Random Forest and K-means clustering. These models, however, are not tailored to the