Software-Defined Networking (SDN) offers flexibility and centralized control, but this same architecture makes SDN controllers highly vulnerable to Distributed Denial of Service (DDoS) attacks. When attackers flood the controller with Packet-In messages—often using spoofed IP addresses—they can degrade performance or disrupt service entirely. This paper presents an enhanced anomaly detection method that leverages frequency-domain analysis to identify DDoS attack traffic with improved robustness. The proposed system begins by monitoring Packet-In messages and constructing a time-series that reflects traffic behavior. This sequence is transformed into the frequency domain using the Discrete Fourier Transform (DFT), capturing both amplitude and phase information—a key improvement over earlier work, which relied solely on magnitude. To preserve the relationships between frequency components, the method converts the transformed data into square image representations, allowing a Convolutional Neural Network (CNN) to learn spatial and spectral patterns associated with different traffic types. Images representing normal traffic and multiple DDoS attack types (TCP-SYN, NTP, DNS) show clear visual distinctions, as demonstrated in Figure 3 of the paper (page 4).
A major contribution of the work is the use of multiple window sizes during frequency analysis. Smaller windows capture short-term fluctuations, while larger windows reveal long-term characteristics. By transforming each window into an image and rescaling them consistently, the system integrates multi-scale frequency features without losing important phase information. This design allows the CNN classifier to detect complex traffic variations more accurately and generalize across different attack scenarios. Experiments using MAWI traffic traces and simulated DDoS attacks show that the image-based approach significantly improves detection metrics—achieving higher precision, recall, and overall accuracy compared to earlier frequency-only methods. The CNN architecture used in the study includes over 10 million trainable parameters and is specifically tuned to extract meaningful spatial patterns from the generated images. The results indicate that incorporating both frequency magnitude and phase, combined with image-based feature representation, enables a more expressive and reliable detection framework for SDN environments. Overall, this work demonstrates that transforming frequency-domain traffic behavior into structured visual patterns provides a powerful foundation for machine learning–based DDoS detection. By merging spectral analysis with image-based deep learning, the method enhances SDN security while maintaining computational efficiency—an important step toward resilient next-generation network defense systems.
Image-Based_Frequency-Domain_Analysis_for_Robust_DDoS_Detection_in_SDN