This paper investigates how effectively Distributed Denial-of-Service (DDoS) attacks can be detected in two different network architectures—traditional networks and Software-Defined Networking (SDN)—by using both time-domain and frequency-domain features. While earlier research has mostly relied on statistical or time-based characteristics of traffic, this study expands the analysis to include Discrete Wavelet Transform (DWT) and Hilbert-Huang Transform (HHT), providing deeper insight into how different signal representations influence machine learning–based detection. The authors evaluate DDoS detection using two datasets: the UNSW-NB15 dataset for traditional networks and a dedicated SDN DDoS dataset. After preprocessing and balancing, the traffic data is transformed using three feature categories: raw time-domain statistics, wavelet-based features extracted using DWT, and adaptive frequency features derived through HHT. These feature sets are then used to train multiple machine learning models, including Random Forests, Decision Trees, XGBoost, and LightGBM.
A key finding is that DWT-based features consistently achieve the strongest results in SDN environments, benefiting from the more structured and centrally managed nature of SDN traffic. In contrast, traditional network traffic—being noisier and less predictable—often favors simpler time-domain features, which provide more stable performance. The study also highlights the limitations of HHT: while designed for nonlinear and non-stationary signals, its sensitivity to noise and decomposition variability leads to less reliable results across both datasets. Overall, the paper demonstrates that the choice of feature extraction method should be aligned with the underlying network architecture. SDN environments gain substantial improvements from frequency-domain analysis, while traditional networks still respond best to well-chosen statistical time features. The work emphasizes that effective DDoS detection depends not only on model selection but also on understanding how different signal transformations capture attack behavior within each type of network.