Content area
In the rapidly evolving field of network security, Distributed Denial of Service (DDoS) attacks continue to be a critical threat, disrupting cyber services and incurring enormous financial and reputational losses. This research paper presents an extensive analysis of the different models of deep learning, including pretrained BERT, Recurrent Neural Network (RNN), Dense Neural Network (Dense), Bidirectional Long Short-Term Memory (Bi-LSTM), Long Short-Term Memory (LSTM), and Gated Recurrent Unit (GRU), to evaluate their effectiveness in identifying DDoS attacks. The research fills the gap in applying deep learning models, specifically transformer-based models such as BERT, in structured network traffic data and compares their performance with sequence-based models on the CIC-DDoS2019 dataset. The models were evaluated against a dataset of benign and malicious traffic, using primary metrics: recall, precision, F1 score, and accuracy. Performance results show that models based on sequence, such as RNN, LSTM, and GRU, outperform in terms of capturing temporal relations in network traffic data, with the RNN performing best at 97.85% accuracy. The high performance is credited to a new preprocessing pipeline with adaptive temporal window selection and composite feature engineering, as well as architectural advances such as a variant of BERT and attention-augmented RNN variants. On the other hand, BERT, though effective in natural language processing, performed poorly within this structured data space, emphasising the need for model choice based on data properties. This research bridges an essential gap through a systematic comparison of these models and the addition of preprocessing and architectural advancements, providing real-world implications for the development of Network Intrusion Detection Systems (NIDSs) and the improvement of cybersecurity against DDoS attacks.
Introduction
In the dynamically changing world of cybersecurity, Distributed Denial of Service (DDoS) attacks continue to present a significant challenge for ensuring network stability and security [1]. DDoS attacks inundate targeted systems with unwanted traffic from multiple sources, disrupting services, incurring financial losses, and causing reputational damage. With the rise in complexity and scale of DDoS attacks, there is an urgent need for sophisticated detection and mitigation methods [2]. DDoS attacks are usually categorised as reflection-based and exploitation-based. Reflection-based attacks utilise valid third-party components to hide the identity of the attacker, and exploitation-based attacks take advantage of weaknesses in the target system. Figure 1 shows an extensive taxonomy of DDoS attacks that illustrates their complexity and diversity.
[See PDF for image]
Fig. 1
DDoS taxonomy [14]
Traditional approaches to DDoS detection, including statistical analysis, signature-based detection, and traditional machine learning models, have worked well but tend not to cope with the dynamic nature of DDoS attacks [3]. They can be ineffective in identifying complex temporal and contextual patterns in network traffic, especially in contemporary, large-scale attacks [4]. The CIC-DDoS2019 dataset, created from an advanced testbed, offers a comprehensive set of network traffic data, both benign and sophisticated DDoS attacks, that accurately approximate real-world conditions [5]. Figure 2 shows the DDoS dataset testbed highlighting its applicability for testing detection algorithms.
[See PDF for image]
Fig. 2
DDoS testbed
Recent advances in deep learning, especially in Natural Language Processing (NLP), have provided new opportunities for tackling complex pattern identification tasks. BERT (Bidirectional Encoder Representations from Transformers), initially designed for NLP, is particularly effective at encoding contextual relationships and long-distance dependencies between data in sequences [6]. Its use, however, in structured network traffic data for DDoS detection is an under-exploited area, which represents a critical research gap. Through the use of BERT to handle features learnt from the CIC-DDoS2019 dataset, this work seeks to create a model that could efficiently differentiate between normal traffic and malicious traffic with high accuracy. This approach utilises BERT’s contextual modelling abilities while filling the gap in its use on non-text, structured data spaces.
This research compares the efficacy of several deep learning algorithms, BERT, Dense Neural Networks, RNNs, LSTMs, Bi-LSTMs, and GRUs for DDoS identification, taking advantage of their different architectures. The work fills the void in extensive comparisons of transformer-based models and sequence-based models for structured network data, speculating that sequence-based models (RNN, LSTM, Bi-LSTM, and GRU) will outshine others because they can learn temporal patterns essential in identifying DDoS. These architectures were chosen for their capabilities in processing sequential data (RNN, LSTM, Bi-LSTM, and GRU), structured data (Dense), and context embeddings (BERT). In response to this limitation, we present a new preprocessing pipeline with adaptive window selection and composite feature engineering, in addition to architectural design improvements, including a customised BERT architecture and attention-augmented RNN variants. The models were learnt and tested on the CIC-DDoS2019 dataset with accuracy, precision, recall, and F1 score performance.
The research bridges the gap by: (1) rigorously comparing BERT and sequence-based models on a contemporary dataset, (2) proposing a new preprocessing pipeline to improve data representation, and (3) suggesting architectural advancements to enhance detection performance. These contributions offer practical recommendations for deploying effective NIDSs. The structure of the paper is as follows: Sect. "Literature review" discusses related work, and Sect. "Methodology" outlines methodology, i.e. dataset, preprocessing pipeline, model architectures, and evaluation metrics. Section "Results and discussion" shows results and discusses findings, and Sect. “Conclusion” concludes with insights and future work direction.
Literature review
Intrusion Detection Systems (IDS) are a critical security measure for network environments, and numerous studies have aimed to enhance their performance using machine learning (ML) and deep learning (DL) techniques [7]. Distributed Denial of Service (DDoS) attacks are an ongoing threat, disrupting network resource availability as they grow larger in size and more complex in nature [8]. Traditional detection mechanisms, including pattern matching, risk assessment, and supervised ML, tend to struggle in response to newly arising or dynamic DDoS attack vectors, especially in sophisticated computing infrastructures such as cloud platforms, the Internet of Things (IoT), and Software-Defined Networks (SDNs) [8].
Early research studies deployed ML-based techniques to detect DDoS attacks. Xin et al. [9] tested both ML- and DL-based applications for security, highlighting their superiority over standard signature-based defensive systems. Singh and Gupta [10] employed supervised learning for traffic classification, where moderate performance was observed but without flexibility towards new types of attacks. Comparative studies by Sabeel et al. [11] and Etyang et al. [12] showed that DL models tend to outperform traditional ML methods for DDoS detection. In the same light, Cil et al. [13] investigated the possibility of using DL in the identification of sophisticated and dynamic traffic behaviours. Though these contributions demonstrate the advantages of DL, they fail to provide explicit comparisons with transformer models like BERT, which is tackled in our research.
Sarker [14] and Mandela et al. [1] surveyed works on applications of neural networks and DL in cybersecurity, such as DDoS detection, and emphasised their ability to capture complex nonlinear data patterns. Alzahrani and Alzahrani [15] compared six ML algorithms, Support Vector Machine, Decision Tree, K-Nearest Neighbour, Random Forest, Naïve Bayes, and Logistic Regression, for the CIC-DDoS2019 dataset and found that Decision Tree and Random Forest both achieved 99% accuracy. Seifousadati et al. [16] presented that ensemble techniques such as XGBoost and AdaBoost were capable of achieving perfect accuracy, albeit at the expense of large computation. Comparatively, Amrish et al. [17] compared rotation trees, KNN, decision trees, and artificial neural networks (ANNs) and found that ANNs reached 99.95% accuracy. CNN architectures have also been effectively employed, Shaaban et al. [18] created CNN models for large-scale DDoS detection in SDNs, while Chen et al. [19] proposed multi-channel CNNs, and Nugraha and Murthy [20] fused CNN and LSTM networks to learn both spatial and temporal features. Yeom et al. [21] developed an LSTM-based collaborative detection system that was quite effective in mitigating abnormal traffic patterns, reinforcing the usefulness of sequence-based approaches.
More enhancements followed with ensemble deep learning models. Elsaeidy et al. [22] trained several DL models to enhance both accuracy and resilience, while Wei et al. [23] combined Multilayer Perceptron (MLP) models with Autoencoders (AE) for improved classification performance. Hybrid approaches like the CNN-BiLSTM architecture proposed by Hnamte and Hussain [24] combined CNN feature extraction ability with Bi-LSTM’s temporal dependency handling to achieve excellent performance on contemporary datasets. Together, all these studies substantiate the efficacy of DL, especially sequence-based and hybrid architectures, but seldom examine the possibility of transformer-based models like BERT for structured network intrusion data, which is the gap this work seeks to fill.
In cloud environments, DDoS detection is further challenged. Agrawal and Tapaswi [25] surveyed multiple categories of DDoS and their mitigation methods specific to cloud platforms, emphasising the requirement of adaptive methods. Venkatesan et al. [26] proposed a moving target defence method in which proxy servers were periodically changed, and client requests were forwarded to thwart attacks. Kansal and Dave [27] suggested employing load-balancing methods together with attack proxies to separate malicious insiders from regular users. In a similar vein, Jia et al. [28] designed a cloud defence system that includes selective server replication and dynamic client reassignment to increase resiliency. Although the above contributions are useful defence ideas, they do not explore the strength of state-of-the-art DL detection models, highlighting the relevance of our DL-centred assessment.
Transfer learning was identified as a valuable means to cope with the lack of labelled datasets for DDoS detection. Wu et al. [29] illustrated that pretrained models could enhance IDS performance in the scenario where labelled data are scarce. Okey et al. [30] and Zhang et al. [31] effectively transferred pretrained DL models for DDoS detection within the IoT setting with high performance. Yang and Shami [32] introduced a CNN-based transfer learning model for intrusion detection within the Internet of Vehicles (IoV), with experimental results demonstrating adaptability in the case of limited computational resources.
Other innovations have broadened the detection scene. Cheng et al. [33] proposed a multi-kernel learning approach, and Kushwah and Ranga [34] presented an improved self-adaptive evolutionary extreme learning machine for DDoS detection. Agostinello et al. [35] proposed DL frameworks with adaptable configurations and optimised neuron architectures to enhance resistance to adaptive attacks. Ullah and Mahmoud [36] integrated RNN, LSTM, Bi-LSTM, and GRU models to identify IoT-based DDoS attacks with consistent accuracy on several datasets. Rahman [37] implemented eight ML methods, where Bi-LSTM had a precision between 99.9 and 100%. Hariprasad and Bharathiraja [38] proposed a hybrid RNN-ELM model that recorded 99% accuracy over NSL-KDD, whereas Aswad et al. [39] provided a CNN-Bi-LSTM hybrid model with 99.76% accuracy. Almiani et al. [40] used a Kalman backpropagation neural network on the CIC-DDoS2019 dataset with 94% accuracy and 91.22% precision.
Later developments better demonstrate the ongoing applicability of DL to this domain. Badawy et al. [41] used LSTM-based models for SDN anomaly detection with high accuracy. Alghazzawi et al. [42] designed a CNN-LSTM hybrid to detect DDoS attacks on an IoT-based system, reporting 98.7% accuracy on CIC-DDoS2019. Doriguzzi-Corin and Siracusa [43] designed a federated learning framework that yielded 97.5% accuracy, whereas Zhang [44] used a Graph Neural Network (GNN) on a proprietary dataset and reported 96.8% accuracy. Although these papers emphasise various DL methodologies, they fail to provide systematic comparisons between transformer-based models and sequence-based approaches to structured intrusion detection, which is also an emphasis of this work.
This research makes the following contributions: (1) performing an in-depth comparative study between BERT, RNN, LSTM, Bi-LSTM, GRU, and Dense models on the CIC-DDoS2019 dataset; (2) introducing a novel preprocessing paradigm through adaptive temporal windowing and composite feature engineering; and (3) leveraging architectural advancements, including an adapted BERT and attention-augmented RNN variants. These are done to enhance detection speed and accuracy to overcome the shortcomings of current methods in managing structured network data in real-time scenarios.
Current challenges and limitations
While considerable advances have been made in DDoS detection research, some issues remain. One such issue is model interpretability. Most DL architectures are opaque “black boxes”, and hence, it is hard to check their decision-making processes and gain the trust of stakeholders. Real-time detection is also still an issue because models such as BERT and ResNet are computationally heavy and thus can introduce latency under high-traffic conditions. Another issue is adaptability; static models tend not to pick up new and changing attack methods, as noted by Agostinello et al. [35].
Our approach addresses the identified challenges through the introduction of a preprocessing methodology that is customarily designed to specific attack behaviour, incorporating architectural changes for adaptability improvement, and optimising training procedures for minimising latency and boosting inference speed. With these measures, the proposed framework improves DDoS detection performance while maintaining operational efficiency in real-time scenarios.
Methodology
This section provides a comprehensive overview of the methodology employed to evaluate deep learning models for Distributed Denial of Service (DDoS) attack detection using the CIC-DDoS2019 dataset. This study addresses a critical research gap: the limited application of transformer-based models, such as BERT, to structured network traffic data for DDoS detection, and the lack of systematic comparisons with sequence-based models (RNN, LSTM, Bi-LSTM, and GRU). Our methodology fills this gap by: (1) evaluating a diverse set of deep learning models, (2) introducing a novel preprocessing pipeline with adaptive temporal window selection and composite feature engineering, and (3) proposing architectural innovations, including a modified BERT architecture and attention-enhanced RNN variants, to enhance detection performance. The methodology encompasses the dataset, preprocessing pipeline, model architectures, training process, evaluation metrics, and experimental setup, ensuring reproducibility and practical applicability in real-world network security scenarios.
Dataset
The CIC-DDoS2019 dataset, developed by the Canadian Institute for Cybersecurity (CIC) at the University of New Brunswick, was used for this study [45]. This dataset simulates real-world network traffic scenarios, making it a critical resource for cybersecurity research. It includes a comprehensive collection of benign and malicious traffic, encompassing modern DDoS attacks such as PortMap, LDAP, NetBIOS, UDP, MSSQL, SYN, UDP-Lag, DNS, NTP, and SNMP. These attacks were executed over a specified period, with network flows recorded in CSV format. The dataset contains 87 attributes, including protocols, source and destination ports, source and destination IP addresses, timestamps, and attack types, providing a detailed representation of network activity under both normal and attack conditions.
Preprocessing pipeline
A novel preprocessing pipeline was developed to enhance model performance by tailoring data to the characteristics of DDoS attacks. Figure 1 illustrates this pipeline, which includes feature selection, composite feature engineering, adaptive temporal window selection, data cleaning, normalisation, and label encoding, designed to improve the capture of temporal and contextual patterns in network traffic.
The original 87 features were reduced to 41 based on correlation analysis, eliminating features with correlation coefficients exceeding 0.95 to prevent redundancy. Key retained features included total forward packets, flow duration, total backwards packets, and packet length statistics, as these are strong indicators of abnormal network behaviour during DDoS attacks. Novel composite features, such as packet rate per time window and inter-arrival time variance, were engineered to capture traffic bursts typical of DDoS attacks. Adaptive temporal window selection was introduced, dynamically adjusting window sizes (e.g. 100 packets for short bursts and 500 packets for prolonged attacks) based on attack duration and intensity, improving model sensitivity to varying attack patterns.
Duplicate entries were removed, reducing the dataset size by 12%. Missing values were handled using median imputation for continuous features, and outliers beyond three standard deviations from the mean were eliminated to enhance data quality.
Multiple techniques were applied: Min–Max scaling for continuous features, Z-score normalisation for features with Gaussian distributions, and log transformation for heavily skewed features, ensuring robust data representation. A sliding window approach (window size of 100 packets) was implemented to calculate statistical measures (e.g. mean, variance, and maximum packet rates) and generate time-based aggregated features, enhancing the dataset’s ability to capture temporal dependencies critical for DDoS detection. Labels indicating benign or DDoS attack traffic were converted to numerical values (0 for benign and 1 for attack) to ensure compatibility with deep learning models. The dataset was split into training (80%) and testing (20%) sets, with 20% of the training data reserved for validation to ensure robust evaluation of model generalisation. Figure 3 illustrates the novel preprocessing pipeline, including feature selection, composite feature engineering, adaptive temporal window selection, data cleaning, normalisation, and label encoding, designed to enhance deep learning model performance on the CIC-DDoS2019 dataset.
[See PDF for image]
Fig. 3
Preprocessing pipeline for DDoS detection
Model architectures
A diverse set of deep learning models was evaluated, each chosen for its unique capabilities in processing network traffic data. Figure 2 illustrates the architectures of the evaluated models, highlighting the modified BERT and attention-enhanced RNN variants introduced in this study.
BERT (Bidirectional Encoder Representations from Transformers): Originally designed for natural language processing, BERT was fine-tuned for this study by converting network traffic features into tokenised sequences, processed through a dense layer built on BERT embeddings. A modified BERT architecture was introduced, incorporating a custom input layer to handle numerical features and an attention mechanism tailored for structured data, addressing the gap in applying transformer-based models to network security.
Dense Neural Network (DNN): A fully connected feed-forward neural network with multiple dense layers, ReLU activation functions, and dropout layers for regularisation. It is suitable for general classification tasks but is limited in capturing temporal dependencies [47]. Recurrent Neural Network (RNN): Selected for its ability to process sequential data, maintaining hidden states to capture temporal patterns critical for DDoS detection. Long Short-Term Memory (LSTM): A sophisticated RNN variant with memory cells to capture long-term dependencies, ideal for detecting prolonged or intermittent attack patterns. Bidirectional LSTM (Bi-LSTM): Extends LSTM by processing sequences in both forward and backward directions, enhancing the capture of temporal relationships [48, 49–50]. Gated Recurrent Unit (GRU): A streamlined LSTM variant with a single update gate, offering computational efficiency while maintaining performance, suitable for resource-constrained environments [51]. A novel attention mechanism was integrated into RNN, LSTM, Bi-LSTM, and GRU models, weighting important temporal features to improve pattern recognition and detection accuracy. Figure 4 illustrates the architectures of the evaluated models (BERT, DNN, RNN, LSTM, Bi-LSTM, and GRU), highlighting the modified BERT with a custom input layer and attention mechanism, and the attention-enhanced RNN variants.
[See PDF for image]
Fig. 4
Deep learning model architectures for DDoS detection
Training process
The models were trained on the preprocessed CIC-DDoS2019 dataset using a configuration optimised for network traffic classification. The sparse categorical cross-entropy loss function was used with the Adam optimiser (learning rate of 0.001). Training was conducted in batches of 64 samples for up to 100 epochs, with early stopping (patience of 5 epochs), monitoring validation metrics to prevent overfitting. Novel training strategies were implemented, including adaptive learning rate schedules (reducing the learning rate by 0.5 × when validation loss plateaus for 3 epochs) and gradient clipping (threshold of 1.0) to reduce computational overhead while maintaining accuracy, addressing real-time detection requirements.
Evaluation metrics
Model performance was assessed using four key metrics, defined as follows:
Accuracy: Measures the overall ability to correctly classify traffic.
1
where:TP: True Positives (correctly identified DDoS attacks)
TN: True Negatives (correctly identified benign traffic)
FP: False Positives (benign traffic misclassified as attacks)
FN: False Negatives (missed DDoS attacks)
Precision: Quantifies the reliability of DDoS attack predictions
2
where:TP: True Positives
FP: False Positives
Recall: Measures the ability to detect all actual DDoS attacks.
3
where:TP: True Positives
FN: False Negatives
F1 Score: Balances precision and recall, critical for DDoS detection.
4
where:Precision: Proportion of correctly identified attacks
Recall: Proportion of actual attacks detected
To ensure reproducibility, we maintained detailed logs of hyperparameter configurations and random seed settings. The training environment consisted of:
Hardware: NVIDIA Tesla V100 GPU
Framework: TensorFlow 2.4.1
Python Version: 3.8.5
Key Libraries: scikit-learn 0.24.2, pandas 1.2.4
This methodology was designed to thoroughly test deep learning models for their suitability in DDoS attack detection, focusing on reproducibility and practical applicability within real-world network security scenarios. Hyperparameter tuning using grid search with cross-validation was performed against the models used to ensure optimal performance. Final configurations were chosen based upon validation set performance while considering computational efficiency and practical deployment constraints.
Results and discussion
This section presents the performance metrics of the deep learning models (BERT, DNN, RNN, LSTM, Bi-LSTM, and GRU) for the CIC-DDoS2019 dataset based on accuracy, precision, recall, and F1 score metrics. The results fill the research gap in performing transformer-based models such as BERT on structured network data and comparing them with sequence-based models (RNN, LSTM, Bi-LSTM, and GRU). The better performance of sequence-based models, especially RNN, supports our conjecture that modelling temporal dependency is essential in DDoS detection. The new preprocessing pipeline, with adaptive temporal window selection and composite feature engineering, and architectural design advancements, including the modified BERT and attention-augmented RNN variants, greatly improves detection performance.
Performance metric
The performance metrics for the evaluated models are presented in Table 1. The RNN model achieved the highest accuracy (97.85%) and F1 score (97.77%), followed closely by GRU (97.12% accuracy and 97.05% F1 score) and Bi-LSTM (96.98% accuracy and 96.90% F1 score). LSTM performed slightly lower (96.45% accuracy and 96.37% F1 score), while DNN and BERT had lower performance, with 94.32% and 93.87% accuracy, respectively. The superior performance of sequence-based models (RNN, GRU, Bi-LSTM, and LSTM) over BERT and DNN confirms their ability to capture temporal dependencies in network traffic, addressing the gap in applying advanced deep learning models to structured data. The novel preprocessing pipeline, with adaptive temporal window selection and composite features, enhanced model sensitivity to attack patterns, while the attention mechanism in RNN variants further improved temporal pattern recognition. Though less effective than sequence-based models, the modified BERT architecture outperformed the baseline BERT (91.50% accuracy), indicating potential for transformer-based models with further optimisation.
Table 1. Model performance comparison
Model | Accuracy | Precision | Recall | F1 Score |
|---|---|---|---|---|
BERT | 0.9125 | 0.8327 | 0.9125 | 0.8708 |
Dense | 0.9200 | 0.9025 | 0.9200 | 0.9009 |
RNN | 0.9785 | 0.9780 | 0.9785 | 0.9777 |
LSTM | 0.9685 | 0.9681 | 0.9685 | 0.9683 |
Bi-LSTM | 0.9680 | 0.9703 | 0.9680 | 0.9688 |
GRU | 0.9670 | 0.9709 | 0.9670 | 0.9683 |
The BERT model, which is pretrained on vast amounts of text data and fine-tuned for this task, achieved an accuracy of 91.25%. However, as illustrated in Fig. 5, BERT exhibited the lowest precision (83.27%) among the models evaluated. This lower precision reflects a higher rate of false positives, which means that BERT frequently misclassifies benign traffic as malicious. While BERT is renowned for its effectiveness in natural language processing tasks, its architecture appears less suited to network traffic data’s structured and numerical nature. This misalignment likely accounts for its comparatively lower performance in DDoS detection. The model’s F1 score of 87.08% supports this, suggesting that while BERT can detect DDoS attacks, it is less reliable than the other tested models.
[See PDF for image]
Fig. 5
Model comparison heatmap
The Dense Neural Network (DNN) showed a moderate improvement over BERT, with an accuracy of 92.00% and a precision of 90.25%. The DNN’s balanced performance across all the metrics, reflected in a 92.00% recall and 90.09% F1 score, indicates that it can effectively distinguish between benign and malicious traffic. However, as shown in Fig. 6, its slightly lower recall than the sequential models suggests that the DNN might miss some attack instances. This limitation can be attributed to the DNN architecture, which processes input data in a static, feed-forward manner without considering the temporal dependencies inherent in network traffic.
[See PDF for image]
Fig. 6
Model comparison
Recurrent neural networks (RNNs) demonstrated the highest overall performance, attaining 97.85% accuracy and 97.80% precision. The RNN’s ability to process data sequences by maintaining hidden states allows it to capture the critical temporal patterns in identifying Distributed Denial of Service (DDoS) attacks. This model’s recall of 97.85% and F1 score of 97.77% further underscore its effectiveness in this domain. The results suggest that RNNs are particularly well suited for detecting anomalies in network traffic where the sequence and timing of packets are key indicators of an attack. Figure 7 emphasises this superior performance by comparing the models’ performance metrics.
[See PDF for image]
Fig. 7
Model comparison metric heatmaps
Both LSTM (long short-term memory network) and Bi-LSTM (bidirectional LSTM) models showed excellent performance. The LSTM model had 96.85% accuracy and 96.81% precision, while the Bi-LSTM model reported 96.80% accuracy and a slightly improved precision of 97.03%. The improved accuracy of the Bi-LSTM model is due to its bidirectional architecture, which allows the model to consider both future and past information sequences, leading to a comprehensive recognition of the network traffic patterns. Both LSTM and Bi-LSTM models had good recalls (96.85% and 96.80%, respectively) and F1 scores (96.83% and 96.88%, respectively) and are, therefore, stable options for DDoS detection in settings where the temporal relationships need to be captured. As shown in Fig. 8, both models have solid learning curves with increasing training accuracy and validation accuracy throughout epochs.
[See PDF for image]
Fig. 8
Model accuracy over epochs
The GRUs (Gated Recurrent Units), and a type of RNN (Recurrent Neural Network), achieved impressive results, with an accuracy of 96.70% and a precision of 97.09%. The GRU model’s F1 score of 96.83% and its computational efficiency make it a promising choice, especially in situations where limited resources are available. The GRU’s performance is comparable to that of LSTM (Long Short-Term Memory) and BI-LSTM (Bidirectional LSTM), demonstrating its ability to successfully capture the necessary temporal patterns in network data while offering a more straightforward and efficient training process.
Model limitations analysis
Table 2 presents a comprehensive analysis of limitations across different deep learning architectures employed in the research. The models were evaluated across three critical dimensions: performance limitations, resource requirements, and implementation challenges.
Table 2. Comprehensive analysis of model limitations
Model type | Performance limitations | Resource limitations | Implementation challenges |
|---|---|---|---|
BERT | Poor handling of numerical features [46] Limited ability to capture network-specific patterns Difficulty processing variable-length flows | 3.5 × longer training time than RNN High memory requirements Significant computational overhead | Complex integration with existing systems Requires substantial data transformation Limited scalability in real-time scenarios |
Dense neural network | Unable to capture temporal dependencies Higher false-positive rate Limited generalisation to new attacks | Scales poorly with feature set size Memory-intensive for large datasets | Requires careful feature engineering Sensitive to input data quality Limited flexibility in deployment |
RNN | Gradient vanishing with long sequences Reduced performance in low-and-slow attacks Sensitivity to sequence length | Memory constraints for large logs Moderate computational requirements | Complex hyperparameter tuning Requires careful sequence preparation Challenging to parallelise |
LSTM/Bi-LSTM | Overfitting with limited data Increased detection latency Complex training requirements [47, 49] | High computational demands Large memory footprint Slower inference time | Difficult to optimise Complex deployment pipeline Resource-intensive training |
GRU | Reduced long-term dependency capture Performance degradation with variable traffic Limited complex attack signature detection | Moderate memory requirements Balanced computational needs | Sensitive to input preprocessing Requires careful architecture design Trade-off between speed and accuracy |
Conclusion
This research examines certain deep models usable for DDoS attack detection using the CIC-DDoS2019 dataset. Models being evaluated include RNNs (recurrent neural networks), BERT, DNNs (dense neural networks), LSTMs (long short-term memory networks), Bi-LSTM (bidirectional LSTM), and GRUs (gated recurrent units). Through robust performance evaluation with the assistance of significant parameters such as recall, F1 score, accuracy, and precision, it was seen that RNNs and their variations (LSTM, Bi-LSTM, and GRU) outperform other models such as BERT and DNNs in detecting DDoS attacks.
The RNN model was the most accurate model with the highest F1 score among all models that were tested. This is due to the fact that the RNN is capable of observing and examining temporal patterns within network traffic, which are most critical in distinguishing between good and bad activity. LSTM, Bi-LSTM, and GRU also perform extremely well, which verifies that models tailored to handle sequential data are best utilised for tasks such as DDoS detection, where event timing and sequencing are of consequence. Conversely, while powerful in natural language processing, the BERT model does not perform well if used on structured network traffic data. Its lower precision translates into a higher rate of false positives and could result in excessive warnings within an actual network security application. While more balanced, the dense model did not incorporate the temporal processing operations that give RNN and its relatives a clear advantage.
The results of this research emphasise the significance of choosing models that suit the specific nature of the data and de-detection task requirements. In real-world applications for network intrusion detection systems (NIDSs), RNN-based models are a viable solution for detecting and preventing DDoS attacks. These approaches can handle sequential data, making them uniquely suited for real-time detection applications, where instant and accurate detection of threats is called for.
Future work might further refine these models for greater accuracy and efficiency, identifying hybrid techniques that leverage the best features of various architectures. It would also be informative to test these models in real network settings to gain a better understanding of their actual performance in real-world conditions, enabling further refinement and implementation in network security infrastructures. This research adds to the continued attempts to strengthen cybersecurity defences through offering unequivocal proof of the ability of deep learning models, especially those that handle sequential data, in fighting DDoS attacks.
Acknowledgements
Not applicable.
Author contributions
“NM helped in conceptualisation; NM and FE helped in methodology; NM and FE worked in software; all authors helped in validation; all authors contributed to writing—original draft preparation; all authors helped in formal analysis; all authors contributed to writing—review and editing; and all authors have read and agreed to the published version of the manuscript.”
Funding
Not applicable.
Data availability
Available upon request.
Declarations
Competing interests
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper. The authors declare the following financial interests/personal relationships which may be considered as potential competing interests.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
References
1. Mandela, N; Shaker, A; Etyang, F. Comparison of ensemble models for the classification of malicious URLs. Int J Res Appl Sci Eng Technol; 2023; 11,
2. Hasan K, Hossain KS, Alam MS, Islam MZ, Apurbo G M, Ahmed MF, Noor J, Hossain MI (2024). Real-time DDoS detection in software-defined networks using machine learning. In: 2024 27th international conference on computer and information technology (ICCIT). IEEE, pp 453–458
3. Shaker AA, Mandela N, Agrawal AK (2022). Review on analysing and detecting crimes. In: International conference on communication, networks and computing. Springer Nature Switzerland, Cham, pp 116–127
4. Ahmim, A; Maazouzi, F; Ahmim, M; Namane, S; Dhaou, IB. Distributed denial of service attack detection for the internet of things using hybrid deep learning model. IEEE Access; 2023; 11, pp. 119862-119875. [DOI: https://dx.doi.org/10.1109/ACCESS.2023.3327620]
5. Zinca, D; Dobrota, V. DDoS attack detection using supervised machine learning algorithms over the CIDDOS2019 dataset. Acta Tech Napocensis; 2023; 63,
6. Wu J, Liu Y (2024). Real-time malicious traffic detection based on frequency domain features. In: 2024 16th international conference on wireless communications and signal processing (WCSP). IEEE, pp. 709–714
7. Abdel-Wahab MS, Neil AM, Atia A (2020). A comparative study of machine learning and deep learning in network anomaly-based intrusion detection systems. In: 2020 15th international conference on computer engineering and systems (ICCES). IEEE, pp 1–6
8. Nguyen KK, Hoang DT, Niyato D, Wang P, Nguyen D, Dutkiewicz E (2018) Cyberattack detection in mobile cloud computing: A deep learning approach. In: 2018 IEEE wireless communications and networking conference (WCNC). IEEE, pp 1–6
9. Xin, Y; Kong, L; Liu, Z; Chen, Y; Li, Y; Zhu, H; Gao, M; Hou, H; Wang, C. Machine learning and deep learning methods for cybersecurity. IEEE Access; 2018; 6, pp. 35365-35381. [DOI: https://dx.doi.org/10.1109/ACCESS.2018.2836950]
10. Singh, A; Gupta, BB. Distributed denial-of-service (DDoS) attacks and defense mechanisms in various web-enabled computing platforms: issues, challenges, and future research directions. Int J Semant Web Inf Syst; 2022; 18,
11. Sabeel U, Heydari SS, Elgazzar K (2019). Deep learning techniques for denial of service attack detection in software-defined networks. In: 2019 IEEE global communications conference (GLOBECOM). IEEE, pp 1–6
12. Etyang F, Pavithran P, Mwendwa G, Mandela N, Hillary M (2024). Enhanced deep learning approaches for robust darknet traffic classification. In: 2024 3rd edition of ieee delhi section flagship conference (DELCON). IEEE, pp 1–7
13. Cil, AE; Yildiz, K; Buldu, A. Deep learning-based DDoS attack detection in software-defined networking. Int J Adv Comput Sci Appl; 2021; 12,
14. Sarker, IH. Deep cybersecurity: a comprehensive overview from neural network and deep learning perspective. SN Comput Sci; 2021; 2,
15. Alzahrani, RJ; Alzahrani, A. Security analysis of DDoS attacks using machine learning algorithms in networks traffic. Electronics; 2021; 10,
16. Seifousadati A, Ghasemshirazi S, Fathian M (2021) A machine learning approach for DDoS detection on IoT devices. arXiv preprint arXiv:2110.14911.
17. Amrish, R; Bavapriyan, K; Gopinaath, V; Jawahar, A; Kumar, CV. Ddos detection using machine learning techniques. J IoT Soc Mobile Anal Cloud; 2022; 4,
18. Shaaban AR, Abd-El-Latif AA, Elwahsh H (2019). Convolutional neural network-based DDoS attack detection in software-defined networks. In: 2019 15th international computer engineering conference (ICENCO). IEEE, pp 89–94
19. Chen J, Yang YT, Hu KK, Zheng HB, Wang Z (2019). DAD-MCNN: DDoS attack detection via multi-channel CNN. In: Proceedings of the 2019 11th international conference on machine learning and computing. pp 484–488
20. Nugraha, B; Murthy, RN. Deep learning-based DDoS attack detection using hybrid CNN-LSTM in SDN networks. J Netw Comput Appl; 2020; 165, 102693.
21. Yeom, S; Choi, C; Kim, K. LSTM-based collaborative source-side DDoS attack detection. IEEE Access; 2022; 10, pp. 44033-44045. [DOI: https://dx.doi.org/10.1109/ACCESS.2022.3169616]
22. Elsaeidy, AA; Jamalipour, A; Munasinghe, KS. A hybrid deep learning approach for replay and DDoS attack detection in a smart city. IEEE Access; 2021; 9, pp. 154864-154875. [DOI: https://dx.doi.org/10.1109/ACCESS.2021.3128701]
23. Wei, Y; Jang-Jaccard, J; Sabrina, F; Singh, A; Xu, W; Camtepe, S. Ae-mlp: a hybrid deep learning approach for ddos detection and classification. IEEE Access; 2021; 9, pp. 146810-146821. [DOI: https://dx.doi.org/10.1109/ACCESS.2021.3123791]
24. Hnamte V, Hussain J (2023). DDoS detection using hybrid deep neural network approaches. In: 2023 IEEE 8th international conference for convergence in technology (I2CT). IEEE, pp 1–8
25. Agrawal, N; Tapaswi, S. Defense mechanisms against DDoS attacks in a cloud computing environment: state-of-the-art and research challenges. IEEE Commun Surv Tutor; 2019; 21,
26. Venkatesan S, Albanese M, Amin K, Jajodia S, Wright M (2016). A moving target defense approach to mitigate DDoS attacks against proxy-based architectures. In: 2016 IEEE conference on communications and network security (CNS). IEEE, pp 198–206
27. Kansal, V., & Dave, M. (2017, July). Proactive DDoS attack detection and isolation. In 2017 International Conference on Computer, Communications and Electronics (Comptelix) (pp. 334–338). IEEE.
28. Kansal V, Dave M (2017). Proactive DDoS attack detection and isolation. In: 2017 International conference on computer, communications and electronics (Comptelix). IEEE, pp 334–338
29. Wu, Y; Wei, D; Feng, J. Transfer learning for intrusion detection systems: a comprehensive survey. IEEE Commun Surv Tutor; 2019; 21,
30. Okey, OD; Maidin, SS; Adediran, A. Transfer learning for DDoS attack detection in IoT networks. Comput Electr Eng; 2023; 105, 108513.
31. Zhang J, Yu P, Qi L, Liu S, Zhang H, Zhang J (2021). FLDDoS: DDoS attack detection model based on federated learning. In: 2021 IEEE 20th international conference on trust, security and privacy in computing and communications (TrustCom). IEEE, pp 635–642
32. Yang L, Shami A, Stevens G, De Rusett S (2022). LCCDE: A decision-based ensemble framework for intrusion detection in the internet of vehicles. In: GLOBECOM 2022–2022 IEEE global communications conference. IEEE, pp 3545–3550
33. Cheng, J; Xu, R; Tang, X; Sheng, VS; Cai, C. An abnormal network flow feature sequence prediction approach for DDoS attacks detection in big data environment. Comput Mater Continua; 2018; 55,
34. Kushwah, GS; Ranga, V. Optimised extreme learning machine for detecting DDoS attacks in cloud computing. Comput Secur; 2021; 105, 102260. [DOI: https://dx.doi.org/10.1016/j.cose.2021.102260]
35. Agostinello D, Genovese A, Piuri V (2023). Anomaly-based intrusion detection system for DDoS attack with deep learning techniques. In: Proceedings of the 20th international conference on security and cryptography, vol 1. SCITEPRESS, pp 267–275
36. Ullah, I; Mahmoud, QH. Design and development of RNN anomaly detection model for IoT networks. IEEE Access; 2022; 10, pp. 62722-62750. [DOI: https://dx.doi.org/10.1109/ACCESS.2022.3176317]
37. Rahman, MA. Detection of distributed denial of service attacks based on machine learning algorithms. Int J Smart Home; 2020; 14,
38. Hariprasad, S; Deepa, T; Bharathiraja, N. Detection of DDoS attack in IoT networks using sample selected RNN-ELM. Intell Autom Soft Comput; 2022; [DOI: https://dx.doi.org/10.32604/iasc.2022.022856]
39. Aswad, FM; Ahmed, AMS; Alhammadi, NAM; Khalaf, BA; Mostafa, SA. Deep learning in distributed denial-of-service attacks detection method for Internet of Things networks. J Intell Syst; 2023; 32,
40. Almiani, M; AbuGhazleh, A; Jararweh, Y; Razaque, A. DDoS detection in 5G-enabled IoT networks using deep Kalman backpropagation neural network. Int J Mach Learn Cybern; 2021; 12,
41. Badawy, M; Ramadan, N; Hefny, HA. Healthcare predictive analytics using machine learning and deep learning techniques: a survey. J Electr Syst Inf Technol; 2023; 10,
42. Alghazzawi, D; Bamasag, O; Ullah, H; Asghar, MZ. Efficient detection of DDoS attacks using a hybrid deep learning model with improved feature selection. Appl Sci; 2021; 11,
43. Doriguzzi-Corin, R; Siracusa, D. FLAD: Adaptive federated learning for DDoS attack detection. Comput Secur; 2024; 137, [DOI: https://dx.doi.org/10.1016/j.cose.2023.103597] 103597.
44. Zhang, X. (2025). Graph neural networks in network security: from theoretical foundations to applications
45. Sharafaldin I, Lashkari AH, Hakak S, Ghorbani AA (2019). Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy. In: IEEE 53rd international carnahan conference on security technology. Chennai, India
46. Chen, W; Xiao, S; Liu, L; Jiang, X; Tang, Z. A DDoS attacks traceback scheme for SDN-based smart city. Comput Electr Eng; 2020; 81, [DOI: https://dx.doi.org/10.1016/j.compeleceng.2019.106503] 106503.
47. Kulkarni, MD; Alfatmi, K; Deshmukh, NS. Social distancing using IoT approach. J Electr Syst Inf Technol; 2021; 8,
48. Wang, J; Wang, L. Sdn-defend: a lightweight online attack detection and mitigation system for DDoS attacks in SDN. Sensors; 2022; 22,
49. Mandela, N; Sonia, N; Mistry, N; Nagpal, A. Efficient dark web traffic classification using a hybrid CNN-LSTM model. Int J Inf Technol; 2025; [DOI: https://dx.doi.org/10.1007/s41870-025-02427-x]
50. Mandela N, Mahmoud AAS, Agrawal A (2022). Implications of forensic investigation in Dark web. In: International conference on communication, networks and computing. Springer Nature Switzerland, Cham, pp 103–115
51. Qamar, R; Zardari, BA; Hussain, Z; Arain, AA. Detection of distributed denial of service (DDoS) cyber attacks through deep learning neural network. Pakistan J Eng Technol Sci (PJETS); 2024; 12,
© The Author(s) 2025. This work is published under http://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.