Generalized detection of DDoS attack patterns using machine learning models

IF 8 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Journal of Network and Computer Applications Pub Date : 2026-04-01 Epub Date: 2026-02-06 DOI:10.1016/j.jnca.2026.104441

Razvan Bocu , Maksim Iavich

{"title":"Generalized detection of DDoS attack patterns using machine learning models","authors":"Razvan Bocu , Maksim Iavich","doi":"10.1016/j.jnca.2026.104441","DOIUrl":null,"url":null,"abstract":"<div><div>Distributed Denial of Service (DDoS) attacks, including stealthy Low-Rate DDoS (LRDDoS) variants, pose critical challenges to network security by evading conventional detection systems that rely on traffic volume thresholds. Existing machine learning-based detectors often fail to generalize across diverse attack patterns, suffer from concept drift in evolving traffic, and cannot leverage distributed data due to privacy constraints. To address these limitations, we propose FLD-DDoS, an integrated detection framework based on asynchronous Federated Learning (FL) with Bidirectional LSTM (Bi-LSTM) and adaptive concept drift handling. Our approach enables collaborative model training across multiple network nodes without centralizing sensitive data, while maintaining detection accuracy under changing traffic conditions. The key contributions include: (1) a novel asynchronous FL architecture with intelligent main node selection; (2) a Bi-LSTM classifier enhanced with model drift detection using Kolmogorov–Smirnov testing; (3) a comprehensive evaluation on 800 million real-world corporate network packets showing 99.82% detection accuracy with sub-second latency; (4) experimental comparison demonstrating superiority over six baseline and state-of-the-art methods; (5) a comparative experimental evaluation considering two additional baseline models. The implemented system significantly reduces network load and demonstrates scalable performance with <span><math><mrow><mi>O</mi><mrow><mo>(</mo><mi>n</mi><mo>)</mo></mrow></mrow></math></span> time complexity for the core algorithms, while providing robust protection against both volumetric and stealthy DDoS attacks.</div></div>","PeriodicalId":54784,"journal":{"name":"Journal of Network and Computer Applications","volume":"248 ","pages":"Article 104441"},"PeriodicalIF":8.0000,"publicationDate":"2026-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Network and Computer Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1084804526000160","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"2026/2/6 0:00:00","PubModel":"Epub","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Distributed Denial of Service (DDoS) attacks, including stealthy Low-Rate DDoS (LRDDoS) variants, pose critical challenges to network security by evading conventional detection systems that rely on traffic volume thresholds. Existing machine learning-based detectors often fail to generalize across diverse attack patterns, suffer from concept drift in evolving traffic, and cannot leverage distributed data due to privacy constraints. To address these limitations, we propose FLD-DDoS, an integrated detection framework based on asynchronous Federated Learning (FL) with Bidirectional LSTM (Bi-LSTM) and adaptive concept drift handling. Our approach enables collaborative model training across multiple network nodes without centralizing sensitive data, while maintaining detection accuracy under changing traffic conditions. The key contributions include: (1) a novel asynchronous FL architecture with intelligent main node selection; (2) a Bi-LSTM classifier enhanced with model drift detection using Kolmogorov–Smirnov testing; (3) a comprehensive evaluation on 800 million real-world corporate network packets showing 99.82% detection accuracy with sub-second latency; (4) experimental comparison demonstrating superiority over six baseline and state-of-the-art methods; (5) a comparative experimental evaluation considering two additional baseline models. The implemented system significantly reduces network load and demonstrates scalable performance with

O (n)

time complexity for the core algorithms, while providing robust protection against both volumetric and stealthy DDoS attacks.

查看原文本刊更多论文

使用机器学习模型的DDoS攻击模式的广义检测

分布式拒绝服务（DDoS）攻击，包括隐蔽的低速率DDoS （LRDDoS）变体，通过避开依赖流量阈值的传统检测系统，对网络安全构成了重大挑战。现有的基于机器学习的检测器通常不能泛化不同的攻击模式，在不断变化的流量中受到概念漂移的影响，并且由于隐私限制而无法利用分布式数据。为了解决这些限制，我们提出了FLD-DDoS，这是一个基于异步联邦学习（FL）的集成检测框架，具有双向LSTM （Bi-LSTM）和自适应概念漂移处理。我们的方法能够在不集中敏感数据的情况下跨多个网络节点进行协作模型训练，同时在不断变化的交通条件下保持检测准确性。主要贡献包括：(1)一种具有智能主节点选择的新型异步FL架构；(2)利用Kolmogorov-Smirnov检验增强模型漂移检测的Bi-LSTM分类器；(3)对8亿个真实企业网络数据包进行综合评估，检测准确率为99.82%，时延为亚秒级；(4)对六种基准方法和最先进方法的实验比较；(5)考虑两个附加基线模型的对比实验评价。实现的系统显着降低了网络负载，并展示了核心算法在0 (n)时间复杂度下的可扩展性能，同时提供了针对容量和隐形DDoS攻击的强大保护。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Network and Computer Applications 工程技术-计算机：跨学科应用

CiteScore

21.50

自引率

3.40%

发文量

142

审稿时长

37 days

期刊介绍： The Journal of Network and Computer Applications welcomes research contributions, surveys, and notes in all areas relating to computer networks and applications thereof. Sample topics include new design techniques, interesting or novel applications, components or standards; computer networks with tools such as WWW; emerging standards for internet protocols; Wireless networks; Mobile Computing; emerging computing models such as cloud computing, grid computing; applications of networked systems for remote collaboration and telemedicine, etc. The journal is abstracted and indexed in Scopus, Engineering Index, Web of Science, Science Citation Index Expanded and INSPEC.