Properties of the SDN architecture provide new opportunities for implementation of security techniques. The possibility of collection of statistics from devices deployed over the network and passing them to a controller increases significantly the possibilities of threats detection. The collected traffic data could be processed and then used for threats detection. A system of detection of malicious activities in software defined networks Monitoring and Detection of Malicious Activities in SDN (MADMAS), introduced by the authors, is based on native mechanisms of software defined networks and uses data exploration techniques for identification and processing of features, and classification of the network traffic. In this paper, we show that an appropriate selection and processing of the flow features provides effective classification of the SDN traffic. We also demonstrate the benefits of using Independent Component Analysis (ICA) and Principal Component Analysis (PCA) techniques for features space reduction.