Impact of Network Topology on Machine Learning-Based DDoS and Anomaly Detection in Software-Defined Networks

The development of Software-Defined Networks (SDNs) introduces new challenges in network security, particularly in detecting Distributed Denial of Service (DDoS) attacks and network anomalies. Due to the centralized architecture of SDN, traditional detection methods are often insufficient in dynamic environments. Therefore, machine learning techniques are increasingly applied to improve detection effectiveness. This paper analyzes the impact of network topology on the performance of machine learning-based detection methods in SDN environments. A controlled experimental setup based on the RYU controller and OpenFlow 1.3 was implemented using Mininet. Two network topologies (linear and hierarchical) were evaluated under multiple attack scenarios, including TCP SYN flood and TCP/UDP port scanning. Two supervised learning models, Random Forest (RF) and K-Nearest Neighbors (KNN), were implemented and compared using standard evaluation metrics: accuracy, precision, recall, F1-score, and detection time. The results show that Random Forest significantly outperforms KNN, achieving up to 100% accuracy and detection times as low as 4.24 s, while KNN exhibits lower stability and reduced recall in anomaly detection scenarios. The study demonstrates that network topology has a measurable impact on both detection performance and latency. The observed effects varied across attack scenarios and machine learning models. Hierarchical topology generally improved detection sensitivity in DDoS scenarios, while linear topology often enabled lower detection latency during selected anomaly detection experiments. The results indicate that both machine learning model selection and network topology should be jointly considered when designing intrusion detection systems for SDN environments. These findings contribute to improving the effectiveness and responsiveness of security mechanisms in modern programmable networks.