A Seminar report on

Comparative and Detection of DDoS Attacks Using Deep Learning

Techniques
Submitted to the faculty of Engineering for the award of the Degree of
MASTER OF TECHNOLOGY
In
Computer Science and Engineering
By

GATTU PRAVALLIKA
24VV1D5801

Under the Esteemed Guidance of

Mr.Y.V. Amardeep, M.Tech
Assistant Professor
Department of Computer Science and Engineering

Department of Computer Science and Engineering

JNTUGV College of Engineering Vizianagaram (Autonomous)
Jawaharlal Nehru Technological University – Gurajada Vizianagaram
Dwarapudi, Vizianagaram - 530003, Andhra Pradesh, India
2024-2025
i
 JNTUGV College of Engineering Vizianagaram (Autonomous)
Jawaharlal Nehru Technological University – Gurajada Vizianagaram
Dwarapudi, Vizianagaram - 530003, Andhra Pradesh, India
2024-2025

CERTIFICATE
This is to certify that the seminar report titled " Comparative and
Detection of DDoS Attacks Using Deep Learning Techniques" is
being submitted in the partial fulfilment for the award of the degree
Master of Technology in Computer Science and Engineering from
Jawaharlal Nehru Technological University, Gurajada
Vizianagaram is a record of Bonafide work carried out by GATTU
PRAVALLIKA bearing roll number: 24VV1D5801.

Mr.Y.V. Amardeep Dr.P. Aruna Kumari

Assistant Professor (c) Head of the department
Dept. of CSE. Dept. of CSE.

ii
 DECLARATION

I GATTU PRAVALLIKA bearing the Roll No: 24VV1D5801

studying in the I year II semester of Master of Technology in Computer
Science and Engineering at JNTU-GV College Of Engineering
Vizianagaram, hereby declare that the seminar work entitled “
Comparative and Detection of DDoS Attacks Using Deep Learning
Techniques ” which is being submitted by me in partial fulfilment of the
requirements for the award of the degree of M Tech in Computer Science
& Engineering is an authentic record of me carried out during the
academic year 2024-2025.

I further declare that the contents of this report do not include any
copyrighted proprietary material, and I am solely responsible for
any such disputes.

Place: GATTU PRAVALLIKA

Date: 24VV1D5807

iii
 Department of Computer Science and Engineering
JNTUGV College of Engineering Vizianagara (Autonomous)
Jawaharlal Nehru Technological University – Gurajad Vizianagaram
Dwarapudi, Vizianagaram - 530003, Andhra Pradesh, India

INSTITUTE VISION

To emerge as a premier technical Institution in the field of engineering

and research with a focus to produce professionally competent and
socially sensitive engineers capable of working in a multidisciplinary
global environment

MISSION

 To provide high quality technical education through a creative

balance of academia and Industry by adopting highly effective
teaching learning processes.
 To promote multidisciplinary research with a global perspective
to attain professional excellence.
 To establish standards that inculcate ethical and moral values
that contribute to growth in the Career and development of
society.

iv
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

VISION

To achieve academic excellence in Computer Science and

Engineering in imparting comprehensive knowledge to the students,
promoting research activities and professional ethics to outfit the ever-
changing industrial demands and societal needs.

MISSION

 To produce the best quality Computer Science professionals by

imparting quality Teaching and learning process, training and
value education.

 To strengthen links with industry through the

partnerships and collaborative developmental works.

 To attain self-sustainability and overall development

through Research and Consultancy activities.

 To inculcate work ethics and commitment in students for

their future endeavours to serve the society.

v
 PROGRAM OUTCOMES(POS)

Program Outcomes (POS) form a set of individually assessable

outcomes that are the components indicative of the graduate
potential to acquire competence to practice at the appropriate
level. The POS is exemplars of the attributes expected of a
graduate from an institution.

PO Description:

PO1: Engineering Knowledge Apply the knowledge of

mathematics, science, engineering fundamentals, and an
engineering specialization to the solution of complex engineering
problems.

PO2: Problem Analysis Identify, formulate, review research

literature and analyse complex engineering problems reaching
substantiated conclusions using first principles of mathematics,
natural sciences and engineering sciences.

PO3: Design/development of Solutions Design solutions for

complex engineering problems and design systems components or
processes that meet the specified needs with appropriate
consideration for the public health and safety, and the cultural,
societal and environmental considerations.

PO4: Conduct Investigations of Complex Problems Use

research based knowledge and research methods including design
of experiments, analysis and interpretation of data and synthesis
of the information to provide valid conclusions.

PO5: Modern Tool Usage Create, select and apply appropriate

techniques. Resources and modern engineering and IT tools
including prediction and modelling to complex engineering activities
with an understanding of the limitations PO6: The Engineer and
Society Apply reasoning informed by the contextual knowledge to
vi
assess societal, health, safety, legal and cultural issues and the
consequent responsibilities relevant to the professional engineering
practices.

PO7: Environment and Sustainability Understand the impact of

the professional engineering solutions in societal and environmental
contexts, and demonstrate the knowledge of and need for sustainable
development.

PO8: Ethics Apply ethical principles and commit to professional

ethics and responsibilities and norms of the engineering practice.

PO9: Individual and Team Work Function effectively as an

individual, and as a member or leader in diverse teams, and in
multidisciplinary settings.

PO10: Communication Communicate effectively on complex

engineering activities with the engineering community and with
society at large, such as, being able to comprehend and write
effective reports and design documentation, make effective
presentations, and give and receive clear instructions.

PO11: Project Management and Finance Demonstrate

knowledge and understanding of the engineering and management
principles and apply these to one's own work as a member and leader
in a team, to manage projects and in multidisciplinary environments.

PO12: Life-Long Learning Recognise the need for, and have the
preparations and ability to engage in independent and life-long
learning in the broadest context of technological change.

PROGRAM EDUCATIONAL OBJECTIVES(PEOS)

PEO 1: The graduates of the Program will be prepared for their

careers in the software industry, public sector or pursue higher
studies and continue to develop their professional knowledge.
vi
i
PEO 2: The graduates will acquire capability to apply their
knowledge of Computer Science and Engineering to solve real world
problems using latest technologies.

PEO 3: The graduates will inculcate in professional attitude, inter-

disciplinary approach, ethics and ability to relate computer
engineering issues with social awareness

PEO 4: The graduates of Computer Science Engineering will have

soft skills to adapt to the diverse global environment through
lifelong learning.

PROGRAM SPECIFIC OUTCOMES(PSO)

PSO 1: Able to apply the knowledge of programming languages,

data structures and algorithms, data science, networks and software
engineering principles for software product development

PSO 2: Able to analyse and formulate solutions to real world and

socially relevant problems over multidisciplinary domains by using
latest technologies

PSO 3: Able to be a technically component employee, researcher,

entrepreneur excel in competitive exams and zest for higher studies.

vi
ii
 ABSTRACT

The base paper, "Open-Set Recognition in Unknown

DDoS Attacks Detection with Reciprocal Points Learning,"
presents a method that combines CNN with RPL for
detecting both known and unknown DDoS attacks.

However, the drawbacks of current DDoS detection

models, including those in the base paper, stem from their
reliance on prior knowledge of attack signatures, making
them less effective against unknown attack types. These
models often experience high false positive rates and
reduced detection accuracy in real-time environments.
Moreover, many approaches are computationally
expensive, requiring large datasets and complex
architectures, making them challenging to implement in
resource-constrained settings.

As part of our future work, we are actively comparing

the performance of our proposed CNN-RPL model across
both the CICIDS2017 and CICDDoS2019 datasets. This
comparison will help us refine our approach to improve
detection capabilities for both known and unknown DDoS
attacks. By examining the behaviour of the model on these
diverse datasets, we aim to further enhance its accuracy,
scalability, and adaptability, ensuring that it can meet the
evolving needs of cyber security in increasingly complex
network environments. Python will be used for model
development, with TensorFlow or PyTorch as the deep
learning framework, and network simulations will be
conducted using tools such as Scapy or Mininet.

v
 CONTENTS
Acknowledgements iv

Abstract v

Contents vi

Chapter 1 Introduction 1-8

1.1 Introduction of DDoS Attacks 1

1.1.1 Distributed Denial of Service Attacks 2

1.1.2 Known DDoS Attacks 3-4

1.1.3 Unknown DDoS Attacks 5

1.2 CNN-RPL Architecture Overview 6

1.3 Challenges in Detecting DDoS Attacks 7

1.4 Impact on Network Security 8

Chapter 2 Literature Review 9-18

Chapter 3 Conclusion 19

Chapter 4 References 20-21

vi
 Chapter 1
INTRODUCTION

1.1 Introduction to DDOS

DDoS stands for Distributed Denial of Service. It is a

malicious attempt to disrupt the normal functioning of a
targeted server, service, or network by overwhelming it with a
flood of internet traffic. Here’s how it works:

Distributed: The attack is launched from multiple

compromised devices, often part of a botnet—a network of
infected computers controlled by an attacker. This makes
it more challenging to defend against because the traffic
comes from various sources.
Denial of Service: The goal is to make the targeted service
unavailable to its intended users. This can be done by
consuming all the server’s resources (like bandwidth,
CPU, or memory) so that legitimate requests cannot be
processed.

DDoS attacks can vary in size and intensity, and they can
target various types of online services, including websites, online
gaming services, Botnet and other internet-connected systems.

1
1.1.1 Distributed Denial of Service Attacks

Distributed Denial of Service (DDoS) attacks are a

malicious attempt to disrupt the normal traffic of a targeted
server, network, or service by overwhelming it with a flood of
Internet traffic. Unlike regular Denial of Service (DoS) attacks
that may come from a single source, DDoS attacks are
launched from multiple compromised computers or devices,
often organized into a botnet—a network of infected devices
controlled by attackers. The vast volume of requests in a
DDoS attack can quickly exhaust system resources, slowing
down or crashing services and causing widespread network
disruption.

2
1.1.2 Known DDoS attacks

Known DDoS attacks are established types of Distributed

Denial of Service attacks that have been documented and
analyzed over time. They feature recognizable patterns and
established techniques that exploit vulnerabilities in networks or
applications, allowing defenders to implement effective
countermeasures. Due to extensive documentation in security
reports, organizations can learn about their characteristics and
impacts, enabling proactive defenses. Overall, known DDoS
attacks provide a framework for understanding and responding to
cyber threats, helping enhance resilience against these attacks.
The known attacks such as:

 Volumetric Attacks
Volumetric attacks aim to overwhelm the target's
bandwidth by generating a massive volume of traffic. By
flooding the network with illegitimate data, these attacks can
render the target's resources unable to handle legitimate
requests. Common examples include the UDP Flood, which
bombards random ports with numerous UDP packets,
overwhelming the target as it tries to process each incoming
packet. Another example is the ICMP Flood, also known as a
ping flood, which sends a high rate of ICMP Echo Requests to
the target, leading to excessive response traffic that overwhelms
network capacity. Additionally, DNS Amplification attacks
involve sending spoofed DNS requests to open servers, resulting

3
 in a significant increase in traffic directed at the target.

Protocol Attacks
Protocol attacks exploit vulnerabilities in network protocols
to consume server resources and disrupt service. One well-
known example is the SYN Flood, which takes advantage of
the TCP handshake process by sending a high volume of SYN
requests to a server without completing the connection, causing
it to allocate resources for connections that never fully
establish. Another example is the Smurf Attack, where attackers
use IP spoofing to send ICMP packets to a network, triggering
a flood of response traffic that targets the victim. The Ping of
Death is also notable; it involves sending oversized or
fragmented packets to a target, which can lead to crashes or
failures in handling these malicious requests.

 Application Layer Attacks

Application layer attacks focus on specific applications or
services, often designed to mimic legitimate traffic, making them
challenging to detect. For instance, an HTTP Flood attack
overwhelms a web server by making repeated requests, draining
its resources and making it difficult to serve genuine users.
Slowloris is another application layer attack that keeps many
HTTP connections open by sending partial requests, preventing
the server from closing these connections and thus blocking
legitimate traffic. Additionally, Recursive GET/POST attacks
involve repeatedly requesting resource-intensive pages or

4
queries, which can exhaust server capabilities and lead to
service disruptions.

 DNS-Based Attacks
DNS-based attacks target the domain name system, crucial
for translating domain names into IP addresses, and can
severely disrupt access to websites. The DNS Flood attack sends
a large volume of DNS queries to a server, overwhelming its
ability to respond and causing legitimate queries to be dropped.
An NXDOMAIN Attack sends requests for nonexistent
domains, causing the DNS server to expend resources on lookups
that yield no results, further straining its capacity. Another
malicious tactic is DNS Cache Poisoning, which involves
manipulating DNS cache entries to redirect users to malicious
sites or disrupt access to legitimate domains, creating significant
challenges for users and administrators alike.

5
6
1.1.3 Unknown DDoS Attacks

The Unknown DDoS attacks are new or previously

unobserved types of Distributed Denial of Service
attacks that do not match established patterns, making
them difficult to detect. These attacks often employ
innovative techniques to evade traditional security
measures, adapting to the target's defences and
exploiting obscure vulnerabilities in protocols or
applications. They can operate at low traffic volumes,
blending in with normal traffic, and may use multi-
vector approaches to overwhelm systems. Overall,
unknown DDoS attacks pose a significant threat to
network security, highlighting the need for advanced and
adaptive security measures to counter these evolving
threats. The Unknown attacks such as:

 Adaptive or Self-Learning Attacks

Adaptive or self-learning attacks are sophisticated DDoS
tactics that modify their strategies based on the target’s defense
mechanisms. These attacks typically start with low traffic
volumes, allowing them to operate under the radar while they
gather information about the target's response patterns. As the
attack progresses, it can gradually increase its intensity,
exploiting any weaknesses in the defenses that it has
identified. This ability to adjust dynamically makes them
particularly challenging to detect and mitigate, as they can evade

7
 traditional security measures that rely on recognizing known
attack signature.

Application and Protocol Exploits

Unknown DDoS attacks often exploit obscure
vulnerabilities in applications and protocols that may not have
been previously considered or documented. By leveraging rare
protocol options or unusual combinations of requests, these
attacks can cause unexpected behavior in network
infrastructure and security systems that are not configured to
handle such anomalies. For instance, attackers might utilize less
common functionalities within a protocol to overwhelm
resources, leading to service disruptions without triggering the
defenses that typically protect against more conventional
attacks.

 Low-and-Slow Attacks
Low-and-slow attacks are characterized by their use of
minimal traffic volumes and gradual operations, allowing them
to blend seamlessly with normal traffic patterns. By maintaining
a low profile, these attacks can bypass detection systems that
typically focus on identifying spikes in traffic or high
connection rates. An example is a "slow read" attack, where the
attacker requests data at an extremely slow rate, consuming
server resources over time without raising alarms. This stealthy
approach can lead to significant resource exhaustion, ultimately
disrupting services without attracting immediate attention.

8
 Multi-Vector Hybrid Attacks
Multi-vector hybrid attacks leverage a combination of
different attack vectors in innovative ways to overwhelm targets
while evading detection. By simultaneously executing various
strategies—such as exploiting DNS vulnerabilities, launching
volumetric traffic, and targeting specific applications—these
attacks can create a complex and layered assault that complicates
response efforts. Additionally, by mimicking legitimate traffic
patterns, they further obscure their malicious intent, making it
difficult for security systems to distinguish between normal
and harmful activity. This multifaceted approach

enhances the effectiveness of the attack and poses significant

challenges for defenders .

1.2 CNN-RPL Architecture Overview

The CNN-RPL (Convolutional Neural Network with

Reciprocal Points Learning) architecture combines the strengths
of convolutional neural networks (CNNs) with a novel learning
mechanism designed for improved DDoS attack detection. The
CNN component extracts features from network traffic data by
applying convolutional layers that capture spatial hierarchies and
patterns. This feature extraction is essential for identifying both
known and unknown attack signatures.

9
 Reciprocal Points Learning enhances the model's ability to
differentiate between benign and malicious traffic by utilizing
feedback loops that adjust learning based on the classification
confidence. This dual approach allows the architecture to not
only detect threats more accurately but also adapt to new attack
patterns over time. Overall, the CNN-RPL architecture aims to
provide a robust solution for real-time DDoS detection in
complex network environments.

The diagram shows a DDoS detection framework using a

classification approach, here illustrated with XGBoost, to
differentiate between normal traffic and various DDoS attack
types. However, if this framework were modified to incorporate
CNN-RPL (Convolutional Neural Network with Reciprocal
Points Learning), it would enhance the system’s capability to
detect both known and unknown DDoS attacks.

In this modified approach, data preprocessing steps—like

feature discretization, normalization, and selection—would
1
0
remain essential to ensure the features are suitable for CNN-
based learning. The dataset would be split into training,
validation, and test sets, enabling the CNN- RPL model to
learn distinct patterns for each known class and generalize to
unknown attack behaviors. CNN-RPL would use reciprocal
points, a technique that allows the model to establish clear
boundaries between classes by learning representative points
within each class distribution. This setup helps in identifying
anomalies or traffic patterns that do not align with known
classes, effectively flagging them as potential unknown DDoS
attacks.

Instead of using XGBoost for attack classification, CNN-

RPL would classify traffic into known attack types (such as
"Hello Flooding" and "Decreased Rank") and a "Normal" class,
while also detecting previously unseen attacks by identifying
outliers that deviate from the known class distributions.
Integrating CNN-RPL in place of or alongside XGBoost would
enable open-set recognition, making the system more robust and
adaptable in detecting emerging DDoS attacks that traditional
models might miss. This CNN-RPL enhancement would create a
comprehensive DDoS detection solution with improved accuracy
in handling both known and unknown threats

1
1
 1.3 Challenges in Detecting Unknown Attacks

Detecting unknown DDoS attacks presents several challenges.

First, the reliance on prior knowledge of attack signatures limits
the ability to identify novel or emerging threats that do not
match existing patterns. Second, the dynamic nature of attack
methodologies can lead to rapid changes in tactics, making it
difficult for traditional detection systems to keep pace.
Additionally, distinguishing between legitimate spikes in traffic
and potential attacks can result in high false positive rates,
complicating response efforts. Finally, many detection systems
require substantial computational resources, which can be a
barrier in real-time analysis, particularly in environments with
constrained resources. These challenges underscore the need for
more adaptive and intelligent detection methods.

1.4Impact on Network Security

DDoS attacks can severely compromise network security by

causing extensive service disruptions, leading to downtime for
websites, applications, and critical online services. This disruption
not only affects user access but can result in significant financial
losses and damage to a company's reputation. Additionally, these
attacks consume substantial network resources, reducing
performance and potentially exposing vulnerabilities that other
attackers can exploit. In critical infrastructure, prolonged DDoS
attacks may also impact operational stability, data integrity, and
overall trust in network reliability.

1
2
1
3
1
4
 Chapter 2
LITERATURE REVIEW

Ismail et al. (2022) [1]. This study addresses the problem

of Distribute Denial of Service (DDoS) attacks, which
overwhelm network resources to disrupt legitimate access. The
authors propose a machine learning-based solution, focusing on
classification and prediction of DDoS attacks using supervised
models, specifically Random Forest and XGBoost. While prior
research often relied on outdated datasets, this study employs the
UNSW-nb15 dataset for improved relevancy. Python was used
for model development and simulation, incorporating data
preprocessing steps such as feature scaling and normalization
to optimize model performance. Results indicate that XGBoost
outperformed Random Forest, achieving approximately 90%
accuracy, a significant improvement overpast models.
Drawbacks include model dependency on dataset quality and the
computational demands of real- time prediction. The conclusion
highlights that the proposed framework achieves high accuracy
and efficiency, suggesting future work could explore
unsupervised learning for broader DDoS detection capabilities.

H. Beitollahi, D. M. Sharif and M. Fazeli (2022) [2].

This study addresses the issue of application-layer Distributed
Denial of Service (App-DDoS) attacks, which can evade
traditional intrusion detection due to their mimicry of
legitimate traffic. The proposed solution combines a Radial
Basis Function (RBF) neural network with the Cuckoo Search
Algorithm (CSA) for enhanced detection accuracy. Data from
1
5
the NSL- KDD dataset was processed and optimized using the
Genetic Algorithm (GA) for feature selection, enhancing the
model’s focus on relevant characteristics. The CSA -trained
RBF model was implemented using MATLAB, and its
performance was compared against k-NN, Bagging, SVM,
MLP, and RNN methods. Results showed an improvement in
accuracy and reduced error rates, with a significant precision
advantage over traditional techniques. Drawbacks include
computational complexity and a need for large labeled
datasets. The study concludes that this hybrid model effectively
addresses the limitations of traditional App-DDoS detection
methods, with future research suggested for unsupervised
learning applications.

S. Haider et al. (2020) [3]. This study addresses the need

for effective Distributed Denial of Service (DDoS) attack
detection in Software Defined Networks (SDNs) by proposing
a deep Convolutional Neural Network (CNN) ensemble
framework. With the increase in cyber threats, particularly
sophisticated DDoS attacks, traditional network defenses often
fall short in scalability and precision. The proposed CNN
ensemble model leverages a flow-based approach tailored to
SDN architecture, achieving high accuracy in attack detection
while minimizing false positives. The framework was
evaluated using the CICIDS2017 dataset, which includes
labeled data for both benign and attack traffic, providing a
reliable benchmark. Four deep learning models—RNN,
LSTM, CNN, and a hybrid RL—were implemented, with
1
6
feature scaling and ensemble techniques to enhance detection
accuracy. Built with Keras and TensorFlow, the model
achieved an impressive 99.45% accuracy, demonstrating its
efficiency for large-scale, distributed networks, though training
times remain a tradeoff. This work confirms the potential of
deep learning ensembles to offer scalable, high- performance
DDoS detection, providing a promising solution for securing
SDNs.

A. A. Alashhab et al. (2024) [4]. This study proposes an

ensemble online machine learning (OML) model for detecting
and mitigating DDoS attacks in Software-Defined Networks
(SDN). Combining multiple classifiers, including BernoulliNB,
Passive-Aggressive, SGD, and MLP, the model dynamically
learns from streaming data, allowing real-time adaptation to
evolving DDoS patterns. Tested on synthetic and benchmark
datasets, such as CICDDoS2019 and InSDN, the model
achieved a high detection rate of 99.2%. Its modular design
supports compatibility with different SDN controllers and
ensures flexible updates. While demonstrating scalability and
accuracy, challenges remain in resource demands and scalability,
particularly under high- traffic conditions. Future work will
focus on expanding the model to cloud-based SDN
environments and refining deep learning integration for broader
DDoS protection.

1
7
10
 K. S. Sahoo et al. (2020) [5]. The paper tackles the
problem of detecting Distributed Denial of Service (DDoS)
attacks in Software Defined Networks (SDNs), which are
highly vulnerable due to their centralized control layer. The
proposed solution is an advanced Support Vector Machine
(SVM) model, enhanced with Kernel Principal Component
Analysis (KPCA) for dimensionality reduction and a Genetic
Algorithm (GA) for optimizing SVM parameters, resulting
in higher accuracy and efficiency. To address the long
training times of conventional SVMs, an improved kernel
function, N-RBF, is introduced. The model is tested on two
datasets (a modern DDoS dataset and NSL- KDD) in a
simulated SDN environment using the POX controller and
Mininet emulator. Results demonstrate the model’s superior
classification accuracy and efficiency compared to other
methods, achieving an accuracy of 98.9%. Limitations
include challenges in detecting specific types of DDoS
attacks in multi-controller environments. The study suggests
future work on improving detection in these complex settings.

D. M. Brandão Lent, V. G. da Silva Ruffo, L. F.

Carvalho, J. Lloret, J. J. P. C. Rodrigues and M. Lemes
Proença (2024) [6]. The paper "An Unsupervised Generative
Adversarial Network System to Detect DDoS Attacks in
SDN" addresses the vulnerability of software- defined
networks (SDN) to distributed denial of service (DDoS)
attacks due to their centralized control. The proposed solution
is an unsupervised anomaly detection system using generative
adversarial networks (GANs) with gated recurrent units
11
(GRUs). This system is designed to detect unknown DDoS
attacks within one-second intervals and includes a mitigation
algorithm to prevent these attacks from disrupting network
operations. The study utilized two datasets for validation: one
developed by the Orion computer networks study group and
the CIC-DDoS2019 dataset. The methods compared different
types of neurons, including long short-term memory (LSTM),
convolutional, and temporal convolutional neurons, with GRU
neurons achieving an F1-score of 99% on the first dataset and
98% on the second. The main drawbacks include potential
issues with the GAN training process, such as mode collapse.
The study concludes that the proposed GAN-based system is
effective in detecting and mitigating DDoS attacks in SDNs.

12
 M. J. Awan, U. Farooq, H. M. A. Babar, A. Yasin,
H. Nobanee,
M. Hussain, O. Hakeem, and A. M. Zain (2021) [7]. The
paper "Real- Time DDoS Attack Detection System Using Big
Data Approach" addresses the challenge of detecting distributed
denial-of-service (DDoS) attacks in real-time, which is crucial
due to the significant disruptions these attacks cause. The
proposed solution leverages big data technologies and machine
learning models, specifically Random Forest (RF) and Multi-
Layer Perceptron (MLP), to enhance detection capabilities. The
study utilizes the Kaggle DDoS dataset for its experiments.
Both Scikit ML and Apache Spark ML libraries are employed to
evaluate performance, with the big data approach significantly
reducing training and testing times due to Spark's distributed in-
memory computations. The models achieved a mean accuracy of
99.5%. The primary drawback highlighted is the potential
computational cost and complexity associated with big data
frameworks. The study concludes that integrating big data
tools like Apache Spark with machine learning models can
effectively detect DDoS attacks in real-time, offering improved
performance over traditional methods.

T.-L. Nguyen, H. Kao, T.-T. Nguyen, M.-F. Horng,

and C.-S. Shieh (2024) [8]. The paper "Unknown DDoS
Attack Detection with Fuzzy C-Means Clustering and
Spatial Location Constraint Prototype Loss" addresses the
critical issue of identifying unknown distributed denial-of-
service (DDoS) attacks, which pose significant threats to

13
network security. The proposed solution combines the Spatial
Location Constraint Prototype Loss (SLCPL) method, an
advanced Open-Set Recognition (OSR) technique, with Fuzzy
C-Means (FCM) clustering to improve the detection of these
unknown attacks. The datasets used for this study are
CICIDS2017 for known attack detection and CICDDoS2019
for unknown attack detection. The methodology integrates 1D
AlexNet for feature extraction and applies SLCPL to classify
known attacks while FCM clusters the features to identify
unknown attacks. Software tools such as PyTorch, Sklearn,
and Python are utilized for implementation. Despite high
accuracy rates (99.8% for known attacks and 99.7% for
unknown attacks), potential drawbacks include the
computational complexity and the need for expert intervention
in labeling suspicious data. The study concludes that the
hybrid approach significantly enhances the detection
capabilities of intrusion detection systems (IDS) against both
known and unknown DDoS attacks, emphasizing the necessity
for continuous improvement and adaptation to evolving
threats.

Y. Al-Dunainawi, B. R. Al-Kaseem and H. S. Al-

Raweshidy (2023) [9]. The paper tackles the significant
challenge of Distributed Denial of Service (DDoS) attacks in
Software-Defined Networking (SDN) environments, which
are highly vulnerable due to their centralized control
architecture. To address the difficulty of traditional SDN-
based mitigation techniques in detecting complex DDoS
patterns, the authors propose an advanced detection model

14
combining a 1D-Convolutional Neural Network (1D-CNN),
the Mininet network emulator, and the Ryu controller. They
create a custom dataset simulating realistic DDoS attacks with
benign and malicious traffic for training purposes. To improve
detection accuracy and minimize training time, they optimized
seven 1D-CNN hyperparameters using the NSGA-II genetic
algorithm, achieving a 99.99% accuracy rate. Software used
includes Mininet for emulation, Ryu for network control, and
TensorFlow for model development. Experimental results
show the proposed model’s superiority over other machine
learning models, significantly enhancing SDN resilience to
DDoS threats. This work underscores the potential of deep
learning and SDN integration for robust, scalable network
security solutions.

15
 Md. A. Hossain and Md. S. Isl (2024) [10]. This paper
addresses the challenge of detecting Distributed Denial of
Service (DDoS) attacks, which increasingly threaten network
security, by proposing a hybrid feature selection and
ensemble-based model. The approach combines correlation
analysis, mutual information, and principal component
analysis for effective feature selection, enhancing the ability to
detect complex attack patterns. The ensemble-based Random
Forest classifier is used to classify DDoS attacks accurately,
leveraging multiple decision trees to improve model
robustness and reduce false positives. The proposed model is
evaluated on several DDoS-related datasets, including CIC-
DDoS2019, CSE-CIC-IDS2018, and DDoS-SDN, achieving
nearly perfect scores across accuracy, recall, precision, and
other performance metrics. Compared to existing techniques,
this model demonstrates improved detection rates and
resilience, suggesting its suitability for real-time deployment
in cybersecurity systems to safeguard against DDoS attacks.
The findings underscore the model's scalability and
effectiveness, pointing towards future applications in real-time
network protection.

D. Mohammed Sharif, H. Beitollahi and M. Fazeli [2023]

[11]. This study addresses the detection of application-layer
Distributed Denial of Service (DDoS) attacks, which are
increasingly accessible due to the availability of freely
downloadable DDoS tools. It specifically examines attacks
generated by four common tools (HULK, GoldenEye, Slowloris,
and Slowhttptest) that enable users with limited technical skills
16
to launch potent attacks. To counteract these threats, the authors
propose a machine learning-based approach using a multi-layer
perceptron (MLP) classifier. The solution involves feature
selection, reducing the feature set from 78 to 6, and applying
data normalization for improved model efficiency. The approach
is validated on the CICIDS2017 dataset, achieving high
accuracy (99.2%), precision (97.1%), recall (96.1%), and F1
score (96.6%) using the Adam optimizer. The model's
performance surpasses other methods, demonstrating
effectiveness in classifying traffic generated by diverse DDoS
tools, making it a promising solution for real-world deployment
against DDoS attacks.

C.-S. Shieh, W.-W. Lin, T.-T. Nguyen, C.-H. Chen, M.-

F. Horng, and D. Miu [2021] [12]. The paper addresses the
challenge of detecting unknown Distributed Denial of Service
(DDoS) attacks using deep learning by tackling the Open Set
Recognition (OSR) problem, where traditional models
struggle with instances outside their training data. The authors
propose a novel framework that integrates a Bi-Directional
Long Short-Term Memory (BI-LSTM) network with a
Gaussian Mixture Model (GMM) and incremental learning.
The BI-LSTM module classifies known traffic patterns, while
the GMM identifies outliers not present in the training data.
Detected unknown traffic is then labeled by engineers and
used to update the model incrementally. This approach was
tested on CIC-IDS2017 and CIC-DDoS2019 datasets,
achieving up to 94% accuracy, recall, and precision. Despite
17
its promising results, the framework requires further testing
with diverse datasets and still depends on manual labeling.
The paper concludes that combining BI- LSTM and GMM,
along with incremental learning, can significantly improve
unknown DDoS detection but highlights the need for future
work to automate parameter tuning and reduce human
intervention

A. Agarwal, M. Khari, and R. Singh (2022) [13]. The paper

explores the detection of DDoS attacks in cloud storage
applications using a deep learning approach. The problem
addressed is the difficulty in achieving high detection rates for
DDoS attacks without raising false alarms, especially given
the volume and complexity of data in cloud environments.
The authors propose a hybrid model combining Feature
Selection with a Whale Optimization Algorithm (FS-WOA)
and a Deep Neural Network (DNN) to identify malicious
traffic. This approach first normalizes and selects key features
from the input data, then applies a DNN for classification. For
additional security, non-malicious data is encrypted using
homomorphic encryption before storage in the cloud. The
model is tested on the CIC-IDS2017 dataset and achieves a high
detection accuracy of 95.35%. Despite its strengths, the model's
computational demands and dependency on effective feature
selection limit its scalability. Implemented in MATLAB, the
proposed solution demonstrates that combining FS-WOA with
DNN is effective for DDoS detection in cloud applications,
although future research should focus on optimizing feature

18
selection and reducing processing time.

A. Ahmim, F. Maazouzi, M. Ahmim, S. Namane and I.

B. Dhaou [2023] [14]. This paper addresses the problem of
Distributed Denial of Service (DDoS) attacks in Internet of
Things (IoT) networks, where the rapid growth of connected
devices has amplified vulnerabilities to cyber threats.
Traditional machine learning techniques struggle to detect DDoS
attacks effectively in these environments, so the authors
propose a hybrid deep learning model combining
Convolutional Neural Networks (CNN), Long Short-Term
Memory (LSTM), and Autoencoders for enhanced detection
capabilities. The model processes network traffic data through
multiple neural network architectures in parallel and cascades,
enabling high-performance classification of various DDoS
attack types, even for low-frequency events. Using the
CICDDoS2019 dataset, which includes extensive DDoS attack
scenarios, the model achieved superior results, outperforming
traditional methods with high accuracy, low false alarm rates,
and effective detection of nuanced attack patterns. The authors
implemented the model on the Kaggle platform, and while its
complexity increases training time, it allows efficient, real-
time testing and processing suitable for cloud and fog
deployments in IoT environments. Future work will focus on
optimizing hyperparameters and exploring feature selection to
further improve detection accuracy.

19
11
0
11
1
Tewelde Gebremedhin Gebremeskel, Ketema Adere Gemeda,
T. Gopi Krishna, Perumalla Janaki Ramulu (2023) [15]. The
paper discusses a novel solution for detecting and classifying
Distributed Denial of Service (DDoS) attacks in a Software-
Defined Networking (SDN) environment with multiple
controllers. The problem identified is the vulnerability of SDN’s
centralized controller structure to DDoS attacks, which can
overwhelm the network by flooding it with malicious traffic. The
proposed solution combines entropy-based anomaly detection
and deep learning using a Long Short-Term Memory (LSTM)
model to classify different types of DDoS attacks effectively.
Key datasets used include CICDDoS2019, which offers diverse
DDoS attack types for training and testing. The entropy-based
approach acts as a preliminary filter, identifying potential attacks
based on network feature distributions, and the LSTM model
provides fine-grained classification. Software tools such as
Mininet and the POX controller framework support the
simulation environment, while a chi-squared feature selection
improves model efficiency. Results indicate the LSTM model
achieves high accuracy (99.42%) with reduced training and
testing loss, outperforming other models like RNN and MLP.
This hybrid method shows promise for DDoS resilience in
multicontroller SDN setups, enhancing both detection speed and
classification accuracy.

Afrah Fathima, G. Shree Devi, Mohd Faizaanuddin

(2023) [16]. The paper addresses the challenge of detecting
Distributed Denial of Service (DDoS) attacks, which pose a
significant threat to network stability by overwhelming systems

11
2
with traffic from multiple sources. To tackle this, the authors
implemented a supervised machine learning approach, using
Random Forest, K-Nearest Neighbors (KNN), and Logistic
Regression algorithms to distinguish between normal traffic and
DDoS attacks. The study utilized subsets of the CSE-
CICIDS2018, CSE- CICIDS2017, and CICDoS datasets,
applying feature scaling and balancing techniques to improve
model performance. After training, Random Forest achieved the
highest accuracy (97.6%), outperforming KNN and Logistic
Regression, which achieved 97% and 91.1%, respectively. While
the results validate Random Forest’s efficacy, the study
acknowledges the need for testing on larger, real-time traffic to
further enhance the model’s accuracy and robustness.

11
3
11
4
 Chapter 3

CONCLUSIN

In conclusion, the research on DDoS attack detection

illustrates the effectiveness of advanced machine learning and
deep learning techniques in enhancing cybersecurity. Various
algorithms, including deep convolutional neural networks,
ensemble methods, and hybrid models, demonstrate improved
accuracy and efficiency across environments such as Software
Defined Networks (SDN) and cloud applications. Innovative
approaches like the Cuckoo Search Algorithm with Radial Basis
Function and evolutionary SVM models successfully address
both known and unknown threats, while ensemble online
learning models emphasize the need for real-time adaptability.
Furthermore, the use of unsupervised techniques, including
generative adversarial networks and fuzzy clustering, highlights
the potential for identifying new attack patterns. Overall, this
body of work signifies a promising direction for developing
robust DDoS detection systems capable of evolving with
emerging cyber threats.

11
5
 Chapter 4
REFERENC

ES

[1] Ismail et al., "A Machine Learning-Based Classification and

Prediction Technique for DDoS Attacks," in IEEE Access, vol.
10, pp. 21443-21454, 2022.

[2] H. Beitollahi, D. M. Sharif and M. Fazeli, "Application

Layer DDoS Attack Detection Using Cuckoo Search
Algorithm-Trained Radial Basis Function," in IEEE Access,
vol. 10, pp. 63844-63854, 2022.

[3] S. Haider et al., "A Deep CNN Ensemble Framework for

Efficient DDoS Attack Detection in Software Defined
Networks," in IEEE Access, vol. 8,
pp. 53972-53983, 2020.

[4] A. A. Alashhab et al., "Enhancing DDoS Attack Detection

and Mitigation in SDN Using an Ensemble Online Machine
Learning Model," in IEEE Access, vol. 12, pp. 51630-51649,
2024.

[5] K. S. Sahoo et al., "An Evolutionary SVM Model for

DDOS Attack Detection in Software Defined Networks," in
IEEE Access, vol. 8, pp. 132502-132513, 2020.

[6] D. M. Brandão Lent, V. G. da Silva Ruffo, L. F.

Carvalho, J. Lloret, J.
J. P. C. Rodrigues and M. Lemes Proença, "An
Unsupervised Generative Adversarial Network System to

20
Detect DDoS Attacks in SDN," in IEEE Access, vol. 12, pp.
70690-70706, 2024.

[7] M. J. Awan, U. Farooq, H. M. A. Babar, A. Yasin, H.

Nobanee, M. Hussain, O. Hakeem, and A. M. Zain, ‘‘Real-
time DDoS attack detection system using big data
approach,’’ Sustainability, vol. 13, no. 19, p. 10743, Sep.
2021.

[8] T.-L. Nguyen, H. Kao, T.-T. Nguyen, M.-F. Horng, and

C.-S. Shieh, ‘‘Unknown DDoS attack detection with fuzzy
C-means clustering and

spatial location constraint prototype loss,’’ Comput., Mater.

Continua, vol. 78, no. 2, pp. 2181–2205, 2024.

[9] Y. Al-Dunainawi, B. R. Al-Kaseem and H. S. Al-

Raweshidy, "Optimized Artificial Intelligence Model for
DDoS Detection in SDN Environment," in IEEE Access,
vol. 11, pp. 106733-106748, 2023.

[10] Md. A. Hossain and Md. S. Islam, “Enhancing DDoS

attack detection with hybrid feature selection and ensemble-
based classifier: A promising solution for robust
cybersecurity,” Measurement: Sensors, vol. 32, p. 101037,
Apr. 2024.

20
[11] D. Mohammed Sharif, H. Beitollahi and M. Fazeli,
"Detection of Application-Layer DDoS Attacks Produced by
Various Freely Accessible Toolkits Using Machine Learning,"
in IEEE Access, vol. 11, pp. 51810- 51819, 2023.

[12] C.-S. Shieh, W.-W. Lin, T.-T. Nguyen, C.-H. Chen, M.-
F. Horng, and
D. Miu, ‘‘Detection of unknown DDoS attacks with deep
learning and Gaussian mixture model,’’ Appl. Sci., vol. 11,
no. 11, p. 5213, Jun. 2021.

[13] A. Agarwal, M. Khari, and R. Singh, “Detection of DDOS

Attack using Deep Learning Model in Cloud Storage
Application,” Wireless Pers Commun, vol. 127, no. 1, pp.
419–439, Nov. 2022.

[14] A. Ahmim, F. Maazouzi, M. Ahmim, S. Namane and I. B.

Dhaou, "Distributed Denial of Service Attack Detection for the
Internet of Things Using Hybrid Deep Learning Model," in
IEEE Access, vol. 11, pp. 119862- 119875, 2023.

[15] Tewelde Gebremedhin Gebremeskel, Ketema Adere

Gemeda, T. Gopi Krishna, Perumalla Janaki Ramulu, “DDoS
Attack Detection and Classification Using Hybrid Model for
Multicontroller SDN”, Wireless Communications and Mobile
Computing, 2023, 9965945, 18 pages, 2023.

[16] Afrah Fathima, G. Shree Devi, Mohd Faizaanuddin,

“Improving distributed denial of service attack detection
using supervised machine learning”, Measurement: Sensors,
Vol. 30, p. 100911, 2023.

21