2023 IEEE 8th International Conference for Convergence in Technology (I2CT)

Pune, India. Apr 7-9, 2023

DDoS Detection Using Hybrid Deep Neural

Network Approaches
1st Vanlalruata Hnamte 2nd Jamal Hussain
2023 IEEE 8th International Conference for Convergence in Technology (I2CT) | 979-8-3503-3401-2/23/$31.00 ©2023 IEEE | DOI: 10.1109/I2CT57861.2023.10126434

Department of Mathematics and Computer Science Department of Mathematics and Computer Science
Mizoram University Mizoram University
Aizawl, India Aizawl, India
[email protected] [email protected]

Abstract—In this study, we provide Deep Neural Network rule-based detection. Even though IDS tools vary in their
(DNN) based approaches to detecting Distributed Denial-of- capabilities, they all have the ability to identify a variety of
Service (DDoS) attacks. In order to improve the DNN’s accuracy, threats.
the suggested approaches use two different hybrid DNN scenario
detections to demonstrate the possibilities. As training and testing When it comes to cybersecurity, deep learning has been
data, we use the publicly available Intrusion Detection datasets; shown to be useful for a variety of tasks, including the cat-
CIC-IDS2017 and CIC-DDoS2019. Experiments have shown that egorization of attacks and the detection of abnormal patterns
the presented approaches are 99.9% effective at detecting attacks. of behavior. In this work, we use Google’s TensorFlow, an
open-source deep-learning package. However, DNN is used
Keywords—DDoS, DNN, DCNNBiLSTM, DCNNGRU, Deep
Learning
herein. Although DNN is often regarded as a more efficient
alternative to Gated Recurrent Unit (GRU), it is often criticized
for its low complexity and poor accuracy. However, DNN
I. I NTRODUCTION
can potentially achieve high accuracy like GRU by being
Attacks from hackers have gotten more sophisticated and made more sophisticated. Due to the presence of potentially
destructive as information technology has evolved to become worthless features in the dataset, preprocessing may be used
more and more powerful. Point-to-point attacks are the foun- to eliminate them, improving deep learning’s detection power.
dation of the typical DoS attack model, in which the hacker A distributed denial of service (DDoS) attack is launched
uses a single, highly capable computer to launch an attack on when a hacker employs a network of infected computers, often
the victim. The original DoS attack has developed into what known as ”zombies.” To start a DDoS attack, hackers first
is known as a DDoS attack. Network services are rendered get control of a large number of victim hosts, where they
inoperable when volume traffic from several sources is used to then deploy the attack’s program and order them to begin the
overwhelm the target. DDoS are implemented at many network attack. Because DDoS attacks often target a huge number of
levels via the use of various protocols. Therefore, the ability to machines indirectly, anyone’s host might be targeted. DoS and
detect and stop DDoS attacks is crucial to maintaining network scan attacks, for example, account for as much as 35% of the
integrity. most common types of cyberattacks [1]. For this reason, we
The success of computer games, specifically AlphaGo, focus emphasis on identifying DDoS or DoS attacks in this
in defeating the world’s best human chess player, as well work.
as the success of very advanced artificial intelligence (AI) Since large amounts of data transfer (in bytes, packets, or
for any nonplayer-controlled characters, has made the term flows) are typical of DDoS attacks. Attacks like TCP/SYN
”deep learning” popular. Technology giants like Google and will have a major effect on the victim’s computer, particularly
Microsoft have used deep learning with great success in a cloud servers. There is a risk of permanent data loss in the
variety of their products. Natural language processing (NLP), event of a server disaster in the cloud because of the inability
biological information, pattern recognition; Image, Speech, to restore communication and services in the event of a crash.
emotion, etc., are just a few examples of how deep learning Therefore, it is crucial to design a method to identify DDoS
technology has been embedded in people’s daily lives, whether attacks.
or not they are aware of it. Here are the primary areas where this study has a significant
To safeguard networks from intrusions, the Intrusion Detec- impact.
tion System (IDS) plays a crucial role. An IDS is software that • To improve the reliability of identifying DDoS attacks in
constantly monitors network traffic and notifies administrators network traffic, we develop a DNN-based technique.
of any abnormalities. Since the open-source tools don’t all • When it comes to the accuracy of deep learning models,
adhere to the same rule to detect abnormalities, it’s crucial to we test to see whether DNN can improve.
comprehend the specifics of each attack type before compiling • When compared to other types of neural networks, the
IDS detection patterns with others such as signature and suggested approaches perform excellently.

979-8-3503-3401-2/23/$31.00 ©2023 IEEE 1

Authorized licensed use limited to: CHONGQING UNIVERSITY. Downloaded on December 28,2024 at 05:40:13 UTC from IEEE Xplore. Restrictions apply.
 The remaining parts of this work are as follows. Section 2 material on the topic of packet-based DDoS classification and
provides a brief overview of DDoS attacks before describing flow-based DDoS/normal flow classification. But there hasn’t
the current technology and research background relevant to been much discussion on how to categorize the various forms
this study and reviewing some related literature. The method- of DDoS based on their flows. A brief illustration of the related
ology is presented in Section 3. Experiments and their findings study is shown in Table I.
are discussed in the fourth part. In the end, we summarise and After comparing the accuracy of several deep learning
make some conclusions. models and machine learning models, Roopak et al. [2] created
a hybrid CNN+LSTM architecture. Using the flow-based CIC-
II. R ELATED W ORK
IDS2017 [3] dataset, the study was able to accurately identify
A. DDoS Attack Taxonomy attacks with a 97.16% accuracy rate.
There are two basic categories of DDoS attacks: those that The three-layer DNN presented by J. Hussain et al. [4]
rely on reflection and those that rely on exploitation. The was designed specifically for Intrusion detection. They utilized
UDP flood attack is a common type of reflection-based DDoS KDD-CUP99 and NSL-KDD [5], both of which are publicly
attack. It involves sending too many UDP packets to the accessible to the general public. Using such datasets, the
victim’s computer. The target system is hammered with a flood experimental result was able to reach an accuracy rate of
of these UDP packets, all of which are directed to different 99.96% and 97.23%, respectively.
ports at random. As a result, the server begins to reject A hybrid deep learning model, DCNN-DSAE, was pre-
incoming connections. However, the servers and switches may sented for DDoS detection by Li et al. [6]. With both an attack
sometimes be connected or disconnected. The usual flow of and a typical flow, the model can get an accuracy of 98.53%
communication is restored after the attack has been halted. It’s in the tests. Since SDN can gather the flow properties and
unlikely that a controller would suffer any major damage from generate a flow entry, they concluded that it could imply the
this kind of attack in such a case. DDoS detection system. Since the system collects the dataset
Some DDoS attacks, such as the TCP/SYN flood, use the in the experiment, features are picked before the flow entry is
TCP three-way handshake to exhaust a system’s resources. formed.
No SYN/ACK response will be produced by the target system Lightweight online attack detection was suggested by Jin
since the incoming connection’s IP is spoofed. Spoofed SYN Wang et al. [7] and is referred to as CNN-ELM. Experimental
requests force the target machine’s ports to remain open findings demonstrate the superior detection performance of the
unnecessarily, blocking off communication with regular users. proposed CNNELM model, with an accuracy of 98.92% on the
Attackers simply need to maintain the bogus connections for CIC-IDS2017 [3] dataset and 99.91% on the InSDN1 dataset
this type of attack to work, and a relatively low volume of acquired by hypothesis testing.
traffic is sufficient to render the target system inaccessible. J. Hussain et al. [8] proposed a DNN with only three
This attack method involves repeatedly delivering SYN pack- hidden layers with a dense size given (128,256,128) to detect
ets to the victim until the server becomes unresponsive. While Intrusion. They used three publicly available datasets; KDD-
the volume of traffic may be minimal, it may nevertheless be CUP992 , NSL-KDD3 and UNSW-NB154 . The experimental
a serious problem for the server. In addition, the server will result could achieve 99.96%, 98.12%, and 81.70% accuracy
collapse unexpectedly due to the high volume of requests it rates respectively on using those datasets.
receives and will not be recoverable. As a result, the server SDN-based defenses against intrusion and DDoS attacks
may be rendered useless by such an attack. The controller’s were suggested by Assis et al. [9]. With regards to the
line of contact will remain severed regardless of whether or not detecting mechanism, they opted for the Gated Recurrent
the attack is halted. It seems that the host is trying to complete Units (GRU) technique achieving 99.94% accuracy. The flow-
the handshake many times while the bogus connections are based CIC-DDoS2019 [10] dataset and its accompanying 83
still active. characteristics are utilized in the experiment. GRU outper-
As a result, it is clear that DDoS attacks based on exploita- forms other approaches such as DNN, CNN, LSTM, Support
tion, such as the TCP/SYN attack, would have a devastating Vector Machine (SVM), Logistic Regression (LR), k-Nearest
effect on a target computer, particularly cloud servers. It Neighbors (kNN), and Gradient Descent (GD) on average in
is possible that data will be lost if a cloud server breaks terms of accuracy, precision, recall, and f-measure.
and cannot be restarted in order to restore connectivity and To combat DDoS attacks, Cil et al. [11] presented a DNN-
services. based strategy. A 69-unit input layer, three 50-unit hidden
layers, and a 2-unit output layer make up this DNN model.
B. Literature Review on DDoS Attack The flow-based CICDDoS2019 [10] dataset is used. In the
Historically, the network administrator would analyze the experiment, 69 features were utilized after a manual procedure
flow directly on the switch or network devices. Network
1 InSDNhttps://aseados.ucd.ie/datasets/SDN/
administrators now need to manage traffic flows at the SDN 2 KDD-CUP99 https://archive.ics.uci.edu/ml/machine-learning-databases/
controller, although cyber security is an issue for both hard- kddcup99-mld/
ware and software-based infrastructures. DDoS attacks are 3 NSL-KDD https://www.unb.ca/cic/datasets/nsl.html

the exclusive topic of discussion here. There is a wealth of 4 UNSW-NB15 https://research.unsw.edu.au/projects/unsw-nb15-dataset

2
Authorized licensed use limited to: CHONGQING UNIVERSITY. Downloaded on December 28,2024 at 05:40:13 UTC from IEEE Xplore. Restrictions apply.
of feature selection eliminates 8 irrelevant features. The first TABLE I: Related Study
result is a 99.97% detection rate for attack flows, and the Sl No Model Dataset Accuracy
second is a 94.57% success rate for categorizing those flows 1 CNN+LSTM [2] CIC-IDS2017 97.16%
into reflection-based attacks and exploitation-based attacks. KDD-CUP99 99.96%
2 DNN [4]
NSL-KDD 97.23%
For SDN, Elsayed et al. [12] suggested DDoSNet, an 3 DCNN-DSAE [6] - 98.53%
intrusion detection system for DDoS attacks. The technology CIC-IDS2017 98.92%
relies on a combination of deep learning and RNN with an 4 CNN-ELM [7]
InSDN 99.91%
autoencoder (AE). The CICDDoS2019 [10] dataset is utilized KDD-CUP99 99.96%
for both development and evaluation purposes. Due to the 5 DNN [8] NSL-KDD 98.12%
removal of unnecessary features after data preparation, only 77 UNSW-NB15 81.70%
KDD-CUP99 99.92%
features are collected, but no technique for selecting features is 6 WDTL
UNSW-NB15 94.22%
offered. The proposed method could achieve a 99% accuracy CIC-IDS2019-I 99.97%
rate in identifying both malicious and benign traffic patterns. 7 DNN [11]
CIC-IDS2019-II 94.57%
K. Yang et al. [13] proposed an Autoencoder termed AE- 8 DDoSNet [12] CIC-DDoS2019 99.0%
D3F to conquer the DDoS attacks. They used two public CIC-IDS2017
9 AE-D3F [13] 82.0%
MAWI
datasets; UNB CIC-IDS2017 [3] dataset and MAWI5 dataset. CAIDA 2008
The experimental result could achieve 82.00% accuracy rate 10 MP [14] 99.68%
BOUN DDoS
respectively. 11 ResNet [15] CIC-DDoS2019 87.0%
D. Erhan et al. [14] proposed a Matching Pursuit algorithm 12 Hybrid ML [21] NSL-KDD 99.86%
method to detect DDoS attacks. They used CAIDA 20086 13 kNN-RF-NB [16] - 98.5%
14 KSVD [20] - 89.0%
and BOUN DDoS7 dataset to train the proposed method. The
DCNNBiLSTM
experiment could achieve a 99.68% accuracy rate for a DDoS CIC-IDS2017
15 DCNNGRU 99.9%
attack. CIC-DDoS2019
(this study)
F. Hussain et al. [15] proposed a ResNet method to detect
the DoS and the DDoS attacks. They used CIC-DDoS2019
[10] dataset for training the method. The proposed method III. M ETHODOLOGY
could achieve an 87% accuracy rate for recognizing different A. Dataset and Preprocessing
types of DoS and DDoS attacks. S. Shanmuga Priya et al.
[16] proposed an ML-based method to detect DDoS attacks. Following the IDS Datasets survey provided by Hnamte
They used kNN, RF, and NB to classify DDoS attacks. The et al. [22], we use the two publicly available datasets; CIC-
proposed method could achieve a 98.5% accuracy rate for IDS20178 and CIC-DDoS20199 . These datasets reflect modern
recognizing different types of DoS and DDoS attacks. N.B. attack scenarios in real network traffic. CIC-IDS2017 contains
Singh et al. [17] proposed a Wide and Deep Transfer Learning a total of 225742 instances, including both attack and non-
(WDTL) stacked GRU framework. They used KDD-CUP99 attack data, which is then 85 network flow aspects, a label
and UNSW-BN15 datasets to train and validate the model. attribute. Since the data in the CIC-IDS2017 dataset is un-
The experiment could achieve 99.92% and 94.22% accuracy balanced, adjustments such as dropping unnecessary features
rates respectively. for this study are done, reducing the number of features to
81 features, and splitting the dataset into training data and
S. Leng et al. [18] proposed a hybrid DDoS attack detection
testing data. Table II represents the dropped features from the
termed DICOF to detect DDoS attacks. The hybrid adopts a
CIC-IDS2017 dataset.
GRU and an entropy-based method to quickly detect the DDoS
attack. T. Visetbunditkun et al. [19] proposed an Ensemble TABLE II: CIC-IDS2017 Dataset Dropped Features.
of Machine Learning methods to detect DDoS attacks. The
proposed method adopts the RFE algorithm to quickly detect Features Description
DDoS attack floods. They compare the performance of RFE Flow ID Unique Flow Identification allotted
with other well-known algorithms. E. Fenil et al. [20] proposed Source IP The source IP Address
a KSVD technique to detect DDoS attacks. The experiment Destination IP The destination IP Address
could achieve an 89% accuracy rate. S Nandi et al. [21]
proposed a hybrid technique to detect DDoS attacks. They
Timestamp The accessing date and time
used the NSL-KDD dataset for training the proposed method.
The experiment could achieve as high as 99.86% accuracy Similarly, CIC-DDoS2019 contains traffic data for DDoS
rate. attacks flow with the normal data flow. A total of 86 features
were developed for the CICDDoS2019 dataset [10] where the
5 MAWI http://mawi.wide.ad.jp/mawi/samplepoint-F/2019/ dataset was split into two groups; reflection and exploitation.
6 CAIDA 2008 https://www.caida.org/catalog/datasets/passive dataset/
7 BOUN DDoS https://ieee-dataport.org/open-access/bo%C4%9Fazi%C3% 8 CIC-IDS2017 https://www.unb.ca/cic/datasets/ids-2017.html
A7i-university-ddos-dataset 9 CIC-DDoS2019 https://www.unb.ca/cic/datasets/ddos-2019.html

3
Authorized licensed use limited to: CHONGQING UNIVERSITY. Downloaded on December 28,2024 at 05:40:13 UTC from IEEE Xplore. Restrictions apply.
 
Since the data in the CIC-DDoS2019 dataset is unbalanced,
adjustments such as dropping unnecessary features for this  

 




study are done, reducing the number of features to 67 fea-
 #

tures, and splitting the dataset into training data and testing   

data. Table III represents the dropped features from the CIC-
DDoS2019 dataset.





TABLE III: CIC-DDoS2019 Dataset Dropped Features. !"

      

  
Features Description
Flow ID Unique Flow Identification allotted 

Source IP The source IP Address

Destination IP The destination IP Address
Source Port Port allotted from source (a) Model: DCNNBiLSTM

Destination Port Port allotted to destination
Timestamp The accessing date and time  
 
 
SimilarHTTP HTTP Related Protocols



 #

   
Fwd URG Flags Forward urgent Flags
Bwd URG Flags Backward urgent Flags   

FIN Flag Count FIN Flag Counting

PSH Flag Count PSH Flag Counting  


$ %


' &
+ .

ECE Flag Count ECE Flag Counting (

'
*

)

-
'

Fwd Avg Bytes/Bulk Average Forward Bytes 

"

"
,


/  


Fwd Avg Packets/Bulk Average Forward Packets       

Fwd Avg Bulk Rate Average Forward Bulk Rate "

Bwd Avg Bytes/Bulk Average Backward Byte !

Bwd Avg Packets/Bulk Average Backward Packets

Bwd Avg Bulk Rate Average Backward Bulk Rate
(b) Model: DCNNGRU
Fig. 1: Proposed Models.
B. Architecture of the Proposed Methods
Figure 1 depicts the architecture of the suggested models.
There is a split between a ”training set” and a ”testing set” of TABLE IV: Model Setting and Environment
traffic flows for both datasets used. After the datasets are pre-
processed, the DNN model is constructed according to the Model Parameter Value
CNN 1
number of features chosen, and the training process begins. BiLSTM 1
After the DNN model has been trained, we put it to the test Hidden Layer 3
on the testing data. Output Unit 1
The suggested technique uses Hybrid DNN instead of Epoch 30
traditional Gated Recurrent Units (GRU), traditional Convolu- Batch Size 128
Hidden Layer’s
tional Neural Networks (CNN), traditional AutoEncoder (AE), DCNNBiLSTM ReLU
Activation Function
traditional Long-Short Term Memory (LSTM), or Recurrent Output Layer’s
Sigmoid
Neural Networks (RNN). We assume that each piece of DDoS Activation Function
attacks information in the dataset is a standalone piece of Loss Function Categorical Cross Entropy
information rather than a time series, therefore, the detection Optimiser Adam
CNN 1
capability of the Hybrid DNN model architecture comes from GRU 1
combining the strengths of CNN with LSTM and CNN with Hidden Layers 3
GRU to determine whether a flow is the result of a DDoS Output Unit 1
attack. The setting and parameter for the proposed models are Epoch 30
given in Table IV. Batch Size 128
Hidden Layer’s
Training a neural network requires n inputs and at least DCNNGRU
Activation Function
ReLU
2n hidden-layer nodes. Therefore, we constructed a DC- Output Layer’s
NNBiLSTM model consisting of One CNN Layer connected Sigmoid
Activation Function
to BiDirectional LSTM, then batch normalization is applied Loss Function Categorical Cross Entropy
and connected to BiDirectional LSTM again, which is then Optimiser Adam
connected to three hidden layers before the output layer.
Similarly, we constructed a DCNNGRU model consisting of
one CNN layer connected to a GRU layer which was then
connected to three hidden layers and then to the output layer. the previous gradient and its learning rate adjustment based
Adam, with its gradient speed adjustment for the direction of on the square of the past gradient, is used as the optimizer.

4
Authorized licensed use limited to: CHONGQING UNIVERSITY. Downloaded on December 28,2024 at 05:40:13 UTC from IEEE Xplore. Restrictions apply.
 IV. R ESULT AND D ISCUSSION
We assessed the data set beforehand so that we could
proceed with the experiment. As there are two files to work
with in CIC-IDS2017 [3], they are combined before being
divided into a training set and a testing set. In contrast,
CIC-DDoS2019 [10] includes a total of 18 files, which are
combined before being divided into two: one for training and
one for testing.
Figure 1 depicts the experimental DNN model, and Table
IV lists the values of the model’s parameters; the model has
n input units, n hidden layers, 2n+1 hidden units, and n
output features. We trained the DCCNBiLSTM model for 30
epochs using a batch size of 128, a relu and sigmoid activation
function, a Categorical Cross Entropy as a loss function, and
Adam as the optimizer. Similarly, we trained the DCNNGRU
model using Adam as the optimizer, for 30 epochs, with a
batch size of 128, with relu and sigmoid as the activation
function, and a Categorical Cross Entropy as the loss function.
Figure 2 displays the results of the training and testing
(a) Model Accuracy Performance
done using the CIC-IDS2017 dataset with the DCNNBiLSTM
model. The testing with the given features could achieve
99.9% accuracy and 0.0035 loss rate. The accuracy perfor-
mance is illustrated in Figure 2a, whereas Figure 2b illustrates
the loss rate during the training and the testing phase. The
confusion matrix of the model’s performance is illustrated in
Figure 2c.
Figure 3 displays the results of the training and testing done
using the CIC-DDoS2019 dataset with the DCNNBiLSTM
model. The testing with the given features could achieve
99.95% accuracy and 0.0022 loss rate. The accuracy perfor-
mance is illustrated in Figure 3a, whereas Figure 3b illustrates
the loss rate during the training and the testing phase. The
confusion matrix of the model’s performance is illustrated in
Figure 3c.
Figure 4 displays the results of the training and testing done
using the CIC-IDS2017 dataset with the DCNNGRU model.
The testing with the given features could achieve 99.92%
(b) Model Loss Performance
accuracy and 0.0029 loss rate. The accuracy performance is
illustrated in Figure 4a, whereas Figure 4b illustrates the loss
rate during the training and the testing phase. The confusion
matrix of the model’s performance is illustrated in Figure 4c.
Figure 5 displays the results of the training and testing done
using the CIC-DDoS2019 dataset with the DCNNBiLSTM
model. The testing with the given features could achieve
99.93% accuracy and 0.0025 loss rate. The accuracy perfor-
mance is illustrated in Figure 5a, whereas Figure 5b illustrates
the loss rate during the training and the testing phase. The
confusion matrix of the model’s performance is illustrated in
Figure 5c.
Table V displays the overall proposed model performance
based on accuracy and loss rate.
V. C ONCLUSION
In this work, we suggest a DDoS detection method that
utilizes DNN in two methods to identify these malicious
intrusions. The suggested methods are interesting because they (c) Confusion Matrix
Fig. 2: Model: DCNNBiLSTM with CIC-IDS2017

5
Authorized licensed use limited to: CHONGQING UNIVERSITY. Downloaded on December 28,2024 at 05:40:13 UTC from IEEE Xplore. Restrictions apply.
 (a) Model Accuracy Performance (a) Model Accuracy Performance

(b) Model Loss Performance (b) Model Loss Performance

(c) Confusion Matrix (c) Confusion Matrix

Fig. 3: Model: DCNNBiLSTM with CIC-DDoS2019 Fig. 4: Model: DCNNGRU with CIC-IDS2017

6
Authorized licensed use limited to: CHONGQING UNIVERSITY. Downloaded on December 28,2024 at 05:40:13 UTC from IEEE Xplore. Restrictions apply.
 TABLE V: Performance of Proposed Models
Dataset Model Accuracy Loss
DCNNBiLSTM 99.90% 0.0035
CIC-IDS2017
DCNNGRU 99.92% 0.0029
DCNNBiLSTM 99.95% 0.0022
CIC-DDoS2019
DCNNGRU 99.93% 0.0025

can be used to both find DDoS attacks coming from the

network and figure out what kind of DDoS attack it is. By
training and testing on the datasets CIC-IDS2017 and CIC-
DDoS2019, we could achieve an accuracy of 99.9% in iden-
tifying all types of DDoS attacks with only 81 characteristics
by training and testing by the CIC-IDS2017 dataset, and with
only 67 characteristics by training and testing by the CIC-
DDoS2019 dataset. In conclusion, the suggested techniques
could potentially outperform traditional GRU, LSTM, and
other current deep learning models as the DNN’s complexity
grows. Our future study will explore the detection of DDoS
attacks on SDN environment with real-time traffic, also to
(a) Model Accuracy Performance
improve the error rate while training and validating the model
with newer datasets.
ACKNOWLEDGMENT
The authors wish to thanks Mizoram University for all the
support and motivation for this research.
R EFERENCES
[1] McAfee, “McAfee Labs Threats Report 2016 - 2017.”
https://www.mcafee.com/enterprise/en-us/assets/reports/
rp-quarterly-threats-mar-2017.pdf, 2017. [Online; accessed 19-
November-2022].
[2] M. Roopak, G. Yun Tian, and J. Chambers, “Deep learning models for
cyber security in IoT networks,” in 2019 IEEE 9th Annual Computing
and Communication Workshop and Conference (CCWC), pp. 0452–
0457, 2019. doi: 10.1109/CCWC.2019.8666588.
[3] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward generating
a new intrusion detection dataset and intrusion traffic characterization.,”
ICISSp, vol. 1, pp. 108–116, 2018. doi: 10.5220/0006639801080116.
[4] J. Hussain and V. Hnamte, “Deep learning based intrusion detection
system: Software Defined Network,” in 2021 Asian Conference on Inno-
vation in Technology (ASIANCON), pp. 1–6, 2021. doi: 10.1109/ASIAN-
(b) Model Loss Performance CON51346.2021.9544913.
[5] M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, “A detailed
analysis of the KDD CUP 99 data set,” in 2009 IEEE Symposium
on Computational Intelligence for Security and Defense Applications,
pp. 1–6, 2009. doi: 10.1109/CISDA.2009.5356528.
[6] C. Li, Y. Wu, Z. Qian, Z. Sun, W. Wang, et al., “DDoS attack detection
and defense based on hybrid deep learning model in SDN,” Journal of
Communication, vol. 39, pp. 176–187, 2018. doi: 10.11959/j.issn.1000-
436x.2018128.
[7] J. Wang and L. Wang, “SDN-Defend: A Lightweight Online Attack
Detection and Mitigation System for DDoS Attacks in SDN,” Sensors,
vol. 22, no. 21, 2022. doi: 10.3390/s22218287.
[8] J. Hussain and V. Hnamte, “A novel deep learning based intru-
sion detection system : Software Defined Network,” in 2021 In-
ternational Conference on Innovation and Intelligence for Informat-
ics, Computing, and Technologies (3ICT), pp. 506–511, 2021. doi:
10.1109/3ICT53449.2021.9581404.
[9] M. V. Assis, L. F. Carvalho, J. Lloret, and M. L. Proença, “A GRU deep
learning system against attacks in software defined networks,” Journal
of Network and Computer Applications, vol. 177, p. 102942, 2021. doi:
10.1016/j.jnca.2020.102942.
[10] I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, “De-
veloping realistic distributed denial of service (DDoS) attack dataset
and taxonomy,” in 2019 International Carnahan Conference on Security
Technology (ICCST), pp. 1–8, 2019. doi: 10.1109/CCST.2019.8888419.
(c) Confusion Matrix
Fig. 5: Model: DCNNGRU with CIC-DDoS2019

7
Authorized licensed use limited to: CHONGQING UNIVERSITY. Downloaded on December 28,2024 at 05:40:13 UTC from IEEE Xplore. Restrictions apply.
[11] A. E. Cil, K. Yildiz, and A. Buldu, “Detection of DDoS attacks with feed
forward based deep neural network model,” Expert Systems with Appli-
cations, vol. 169, p. 114520, 2021. doi: 10.1016/j.eswa.2020.114520.
[12] M. S. Elsayed, N.-A. Le-Khac, S. Dev, and A. D. Jurcut, “DDoS-
Net: A deep-learning model for detecting network attacks,” in 2020
IEEE 21st International Symposium on ”A World of Wireless, Mobile
and Multimedia Networks” (WoWMoM), pp. 391–396, 2020. doi:
10.1109/WoWMoM49955.2020.00072.
[13] K. Yang, J. Zhang, Y. Xu, and J. Chao, “DDoS attacks detec-
tion with AutoEncoder,” in NOMS 2020 - 2020 IEEE/IFIP Net-
work Operations and Management Symposium, pp. 1–9, 2020. doi:
10.1109/NOMS47738.2020.9110372.
[14] D. Erhan and E. Anarim, “Hybrid ddos detection framework using
matching pursuit algorithm,” IEEE Access, vol. 8, pp. 118912–118923,
2020. doi: 10.1109/ACCESS.2020.3005781.
[15] F. Hussain, S. G. Abbas, M. Husnain, U. U. Fayyaz, F. Shahzad, and
G. A. Shah, “IoT DoS and DDoS Attack Detection using ResNet,” in
2020 IEEE 23rd International Multitopic Conference (INMIC), pp. 1–6,
2020. doi: 10.1109/INMIC50486.2020.9318216.
[16] S. Priya, M. Sivaram, D. Yuvaraj, and A. Jayanthiladevi, “Machine
Learning based DDOS Detection,” in 2020 International Conference
on Emerging Smart Computing and Informatics (ESCI), pp. 234–237,
2020. doi: 10.1109/ESCI48226.2020.9167642.
[17] N. B. Singh, M. M. Singh, A. Sarkar, and J. K. Mandal, “A novel wide
& deep transfer learning stacked GRU framework for network intrusion
detection,” Journal of Information Security and Applications, vol. 61,
p. 102899, 2021. doi: 10.1016/j.jisa.2021.102899.
[18] S. Leng, Y. Xie, Y. Zhang, Y. Guo, L. Fang, and F. Li, “DICOF: A dis-
tributed and collaborative framework for hybrid DDoS attack detection,”
in 2022 IEEE Symposium on Computers and Communications (ISCC),
pp. 1–7, 2022. doi: 10.1109/ISCC55528.2022.9912872.
[19] T. Visetbunditkun and W. Srichavengsup, “DDoS Attack Detection
Using Ensemble Machine Learning Models with RFE Algorithm,” in
2022 7th International Conference on Business and Industrial Research
(ICBIR), pp. 269–273, 2022. doi: 10.1109/ICBIR54589.2022.9786423.
[20] E. Fenil and P. M. Kumar, “Towards a secure Software Defined Network
with adaptive mitigation of DDoS attacks by Machine Learning Ap-
proaches,” in 2022 International Conference on Advances in Computing,
Communication and Applied Informatics (ACCAI), pp. 1–13, 2022. doi:
10.1109/ACCAI53970.2022.9752607.
[21] S. Nandi, S. Phadikar, and K. Majumder, “Detection of ddos attack
and classification using a hybrid approach,” in 2020 Third ISEA Con-
ference on Security and Privacy (ISEA-ISAP), pp. 41–47, 2020. doi:
10.1109/ISEA-ISAP49340.2020.234999.
[22] V. Hnamte and J. Hussain, “An extensive survey on intrusion detec-
tion systems: Datasets and challenges for modern scenario,” in 2021
3rd International Conference on Electrical, Control and Instrumen-
tation Engineering (ICECIE), pp. 1–10, 2021. doi: 10.1109/ICE-
CIE52348.2021.9664737.

8
Authorized licensed use limited to: CHONGQING UNIVERSITY. Downloaded on December 28,2024 at 05:40:13 UTC from IEEE Xplore. Restrictions apply.