Resource-Aware Ensemble Framework for DDoS Detection in SDN via Novel Game-Theoretic Feature Selection

Distributed Denial-of-Service (DDoS) attacks continue to threaten the reliability and performance of modern network infrastructures, particularly in Software-Defined Networking (SDN) environments, where the centralized controller represents a critical single point of failure. The growing complexity of DDoS vectors, including low-rate and zero-day attacks, calls for detection frameworks that are not only highly accurate but also generalizable and computationally efficient. This paper presents an enhanced ensemble-based machine learning framework designed for robust DDoS detection in SDN settings. At the core of our approach lies a novel hybrid feature selection method that combines Random Forest (RF) feature importance with the Banzhaf Power Index (BPI) from cooperative game theory. This RF-BPI method evaluates both the statistical relevance and marginal contribution of features, resulting in a reduced feature space that enhances detection performance while minimizing redundancy and computational cost. We systematically benchmark a range of classifiers, including XGBoost, Random Forest, Gradient Boosting, Support Vector Machines (SVM), k-Nearest Neighbors (KNN), AdaBoost, and Naïve Bayes, and integrate them into four voting-based ensemble configurations. Each ensemble model is independently trained and evaluated on two datasets: the CIC-DDoS2023 dataset, which reflects diverse and recent DDoS attack behaviors, and a flow-based SDN-specific dataset that emulates controller-targeted attack scenarios. All ensemble models achieve perfect classification performance (100% accuracy, precision, recall, and F1-score) on both datasets. Beyond accuracy, our evaluation also captures training time, inference latency, memory usage, and model size to assess the feasibility of real-time deployment. The results show that while some ensemble models complete training in under 5 seconds with memory footprints below 1 MB, others incur significantly higher resource costs, highlighting trade-offs between architectural complexity and runtime efficiency. This work demonstrates that a carefully designed ensemble IDS, strengthened by cooperative game-theoretic feature selection, can deliver high detection accuracy while maintaining flexibility and resource-awareness, making it suitable for deployment in production-grade SDN environments.