Anomaly-Based Intrusion Detection System for DDoS Attack with Deep

Learning Techniques

Davide Agostinello

, Angelo Genovese

and Vincenzo Piuri

Universit

a degli studi di Milano, Department of Computer Science, Italy

Keywords:

Deep Learning, Intrusion Detection System, DDoS.

Abstract:

The increasing number of connected devices is fostering a rising frequency of cyber attacks, with Distributed

Denial of Service (DDoS) attacks among the most common. To counteract DDoS, companies and large orga-

nizations are increasingly deploying anomaly-based Intrusion Detection Systems (IDS), which detect attack

patterns by analyzing differences in malicious network trafﬁc against a baseline of legitimate trafﬁc. To differ-

entiate malicious and normal trafﬁc, methods based on artiﬁcial intelligence and, in particular, Deep Learning

(DL) are being increasingly considered, due to their ability to automatically learn feature representations for

the different trafﬁc types, without need of explicit programming or handcrafted feature extraction.

In this paper, we propose a novel methodology for simulating an anomaly-based IDS based on adaptive DL

by designing multiple DL models working with both binary and multi-label classiﬁcation on multiple datasets

with different degrees of complexity. To make the DL models adaptable to different conditions, we consider

adaptive architectures obtained by automatically tuning the number of neurons for each situation. Results on

publicly-available datasets conﬁrm the validity of our proposed methodology, with DL models adapting to the

different conditions by increasing the number of neurons on more complex datasets and achieving the highest

accuracy in the binary classiﬁcation conﬁguration.

1 INTRODUCTION

The rising number of connected devices and network

trafﬁc is causing a growth in the number of cyber at-

tacks. Cyber security is then increasingly being pri-

oritized in a wide number of situations, from small

networks at a company level to large infrastructures

at a national level. Among cyber attacks, Distributed

Denial of Service (DDoS) represents one of the most

widespread. A DDoS attack consists in the satura-

tion of the resources of a service through the overload

of requests coming from multiple sources previously

compromised by a malware. As a result of a DDoS

attack, the service is no longer available to legitimate

users.

To protect againsts cyber attacks and DDoS at-

tacks, Intrusion Detection Systems (IDSs) are be-

ing increasingly studied and deployed. In particular,

anomaly-based IDSs work by establishing a baseline

of “normal” network trafﬁc and detecting “malicious”

https://orcid.org/0009-0006-5629-0483

https://orcid.org/0000-0002-3683-4723

https://orcid.org/0000-0003-3178-8198

trafﬁc and hence possible attacks when signiﬁcant dif-

ferences from the baseline are detected. Recent IDSs

often rely on Artiﬁcial Intelligence and in particular

Deep Learning (DL), which represents a promising

solution to differentiate normal from malicious traf-

ﬁc, due to the ability of DL models of automatically

learning feature representations and perform classiﬁ-

cation with high accuracy (G

us¸bas¸ et al., 2021).

DL-based approaches for IDSs can be categorized

by considering the learning paradigm and the type

of classiﬁcation. Learning paradigms comprise su-

pervised instance learning, which includes methods

using labeled instances and based on Deep Neural

Networks (DNN) or Convolutional Neural Networks

(CNN) and supervised sequence learning, which in-

cludes methods using series of data and based on Re-

current Neural Networks (RNN) or Long Short-Term

Memory (LSTM). Moreover, the type of classiﬁcation

can either be binary, by classifying trafﬁc as either

“normal” or “DDoS”, or multi-label, by also classify-

ing different types of malicious trafﬁc (Mittal et al.,

2022).

In this paper, we propose a simulation of an

anomaly-based IDS using adaptive DL models in dif-

Agostinello, D., Genovese, A. and Piuri, V.

Anomaly-Based Intrusion Detection System for DDoS Attack with Deep Learning Techniques.

DOI: 10.5220/0012146100003555

In Proceedings of the 20th International Conference on Security and Cryptography (SECRYPT 2023), pages 267-275

ISBN: 978-989-758-666-8; ISSN: 2184-7711

 2023 by SCITEPRESS – Science and Technology Publications, Lda. Under CC license (CC BY-NC-ND 4.0)

267

ferent conﬁgurations, obtained by considering DNN-

and CNN-based models (supervised instance learn-

ing) and RNN-based models (supervised sequence

learning approaches) with both a binary and a multi-

label classiﬁcation variant. To determine which con-

ﬁguration works best and in what conditions, in all the

models and classiﬁcation variants we consider differ-

ent adaptive architectures, obtained by automatically

optimizing the number of neurons in the hidden lay-

ers, adding the capability of the considered architec-

tures to adapt to different conditions.

To the best of our knowledge, no method in the

literature has performed a simulation of different

DL-based models for IDSs by considering both su-

pervised instance learning and supervised sequence

learning approaches, in both a binary and multi-label

classiﬁcation, and using adaptive architectures with

an optimized number of neurons.

The remainder of the paper is structured as fol-

lows. Section 2 presents the related works, distin-

guishing the different learning paradigms that can be

applied. Section 3 describes our methodology. Sec-

tion 4 introduces the datasets used in our experimen-

tal evaluation. Section 5 describes the experimental

results. Finally, Section 6 concludes the paper.

2 RELATED WORKS

Anomaly-based IDSs using DL can be distinguished

in i) supervised instance learning; ii) supervised se-

quence learning, iii) semi-supervised learning, and

iv) hybrid learning (Mittal et al., 2022). We describe

each of them next.

Supervised Instance Learning: this category in-

cludes methods that train the models using labeled in-

stances, such as the ones based on DNN and CNN.

In particular, we can distinguish i) methods based on

DNN and ii) methods based on CNN.

Methods based on DNN include the works described

in (Asad et al., 2020; Cil et al., 2021; Sbai and

El boukhari, 2020), which detect DDoS attacks by

training and testing the model on the CIC-IDS-2017

and CIC-DDoS-2019 datasets. The work described in

(Sabeel et al., 2019) considers DNN as well as LSTM

models to predict both DoS and unknown attacks, by

training the models using the CIC-IDS-2017 dataset

and testing them on a self-produced dataset. A DNN

architecture is also considered in the work presented

in (Amaizu et al., 2021), with the difference of using

an ensemble of two DNNs to increase the classiﬁca-

tion accuracy.

Methods based on CNN include the approach pre-

sented in (Kim et al., 2020), which trains a network

on the CIC-IDS 2018 and KDD datasets to detect DoS

attacks. To improve the recognition accuracy with re-

spect to using a single CNN, the method introduced in

(Haider et al., 2020) considers an ensemble of CNNs,

while the work described in (Wang and Liu, 2020)

presents a multi-level framework that ﬁrst performs

a coarse detection of suspicious trafﬁc, then uses the

CNN to make a ﬁne-grained distinction between nor-

mal and malicious trafﬁc.

Differently from the CNN-based approaches de-

scribed in (Kim et al., 2020; Haider et al., 2020; Wang

and Liu, 2020), which aim at increasing the detec-

tion accuracy, the methods proposed in (Doriguzzi-

Corin et al., 2020; de Assis et al., 2020) have the

purpose of reducing the computational complexity of

CNN-based DDoS detection and allow a deployment

of DL-based IDS in real-time scenarios or on de-

vices with limited resources. In particular, the ap-

proach proposed in (de Assis et al., 2020) considers

one-dimensional –rather than two-dimensional– con-

volutional layers. Similarly, the work presented in

(Doriguzzi-Corin et al., 2020) considers a CNN with

a reduced number of one-dimensional convolutional

layers in combination with an ad-hoc preprocessing

algorithm.

Supervised Sequence Learning: this category in-

cludes methods that train the models using series of

data, such as the ones based on RNN, LSTM, and

Gated Recurrent Units (GRU); In particular, we can

distinguish i) methods based on LSTM and ii) meth-

ods based on GRU.

Methods based on LSTM include the work described

in (Liang and Znati, 2019), which applies the model

on raw network ﬂow with the purpose of differentiat-

ing normal trafﬁc and DDoS attacks. The method pre-

sented in (Ferrag et al., 2021) also considers LSTM,

adding a comparison with with CNNs and DNN

within the applicative scenario of IoT-enabled net-

works.

Methods based on GRU include the paper proposed in

(Assis et al., 2021), which showed that GRUs resulted

in greater accuracy in detecting DDoS attackes with

respect to LSTMs, despite using fewer parameters.

Semi-Supervised Learning: this category includes

methods that train the models using unlabeled data

in the pre-training stage, then ﬁne-tune them using a

combination of both labeled and unlabeled data, such

as the ones based on Auto-Encoders (AE) and Sup-

port Vector Machines (SVM). For example, the work

described in (Kasim, 2020) preprocesses data with a

principal component analysis, then applies an AE to

further reduce data dimensionality and extract the fea-

tures. Lastly, it considers an SVM to perform the clas-

siﬁcation and detect DDoS attacks. Similarly, the ap-

SECRYPT 2023 - 20th International Conference on Security and Cryptography

268

Cleaning Trasformation

Reduction

Data preprocessing

CNN-based IDSDNN-based IDS RNN-based IDS

DL-based architecture definition

Binary

Multi-

label

Binary

Multi-

label

Binary

Multi-

label

Hyperparameter

tuning

Training

Adaptive architecture optimization

CSE-CIC-IDS-2018

CIC-DDoS-2019

Figure 1: Outline of our methodology. After the data

preprocessing step, we deﬁne six different conﬁgurations

of DL-based architectures, considering DNN-, CNN-, and

RNN-based models, each in a binary and a multi-label clas-

siﬁcation variant. Then, we perform the optimization by

tuning the hyperparameters of each adaptive architecture

and then training the DL-based models on the considered

datasets for DDoS detection.

proach proposed in (Bhardwaj et al., 2020) describes

an AE for feature extraction, followed by a DNN for

feature classiﬁcation.

Hybrid Learning: this category includes meth-

ods that combine two or more approaches, usually

to leverage the capability of sequence learning ap-

proaches (e.g., LSTM) to process series of data with

the capability of instance learning approaches (e.g.,

CNN) to detect speciﬁc patterns when trained using

labeled data. For example, the works presented in

(Roopak et al., 2019; Roopak et al., 2020) combine

a model based on a CNN with a model based on a

LSTM, then use a fully-connected layer to output the

results, achieving a superior accuracy with respect to

using the two models separately. Similarly, the ap-

proach described in (Elsayed et al., 2020) combines

an AE to perform a feature extraction, a RNN to pro-

cess the series of data, and a fully-connected layer to

perform the classiﬁcation.

In the literature, methods based on supervised in-

stance learning (e.g., DNN, CNN) and supervised se-

quence learning (e.g., RNN) are the most studied and

represent the majority of the approaches for anomaly-

based IDSs. Therefore, in our work we consider

DL-based models based on DNN, CNN, and RNN.

However, no method in the literature has performed a

simulation of different DL-based models for IDSs by

considering adaptive architectures with an optimized

number of neurons, using both a binary and a multi-

label classiﬁcation.

3 PROPOSED METHODOLOGY

This section describes the proposed methodology for

simulating an anomaly-based IDS for DDoS attack

detection. After a preprocessing step, necessary to

uniform the different datasets in a common format,

we deﬁne the different conﬁgurations obtained by

considering DNN- and CNN-based models (super-

vised instance learning) and RNN-based models (su-

pervised sequence learning approaches) in both a bi-

nary and a multi-label classiﬁcation variant. Then,

in all the models and classiﬁcation types we consider

adaptive architectures, obtained by automatically op-

timizing the number of neurons in the hidden layers.

The methodology comprises three steps: i) data

preprocessing, ii) DL-based architecture deﬁnition,

and iii) adaptive architecture optimization. Fig.1 out-

lines our methodology: after the data preprocessing

step, we deﬁne six different conﬁgurations of DL-

based architectures, considering DNN-, CNN-, and

RNN-based models, each in a binary and a multi-label

classiﬁcation variant. Then, we perform the optimiza-

tion by tuning the hyperparameters of each adaptive

architecture and then training the DL-based models

on the considered datasets for DDoS detection.

3.1 Data Preprocessing

Data preprocessing has the purpose of uniforming the

different datasets into a common format, by removing

inconsistent or missing values, encoding the labels

in numerical values, and reducing the dimensional-

ity, following common practices when preparing data

for intrusion detection (Srikanth Yadav. and Kalpana.,

2019; Alasadi and Bhaya, 2017). This step consists of

three tasks: i) cleaning, ii) transformation, and iii) re-

duction.

Cleaning: this task involves the removal of incon-

sistent or missing values. First, we remove columns

that do not contain values useful for model training,

such as socket-related features and columns contain-

ing only zeros. Then, we remove duplicate rows and

rows containing NaNs. Lastly, we replace inﬁnite and

null values with −1, as described in (Cil et al., 2021).

Transformation: this task involves the transforma-

tion of the dataset to ensure comparable numerical

values across different datasets. First, we normalize

the numerical values in the range [0, 1] using the min-

max method. Second, we apply label encoding to cat-

egorical features, by transforming categorical values

Anomaly-Based Intrusion Detection System for DDoS Attack with Deep Learning Techniques

269

into numerical values, considering two methods pro-

posed in the literature:

• Label encoder: involves the conversion of each

label into a number;

• One Hot Encoder (OHE): involves the conver-

sion of the label of each row into a vector v of

n columns, where n is the number of labels, with

= 1 if the row is associated with the i-th label,

and v

= 0 otherwise.

Reduction: this task involves reducing the dimen-

sionality of the data to ensure a common number of

features in the different datasets, reduce noise in the

features, and speed up the training of DL-based mod-

els. To perform the reduction, ﬁrst we apply the PCA

technique, then we select the number of principal

components using the MLE method (Minka, 2000).

3.2 DL-Based Architecture Deﬁnition

In this step we deﬁne the different DL architectures

that include supervised instance learning approaches

such as DNN and CNN, as well as supervised se-

quence learning approaches such as RNN. For all

models, we consider adaptive architectures, in which

the hidden layers have a variable size.

In our work we consider three different architec-

tures: i) DNN, ii) CNN, and iii) RNN. For each archi-

tecture, we consider two variants of the classiﬁcation

types, one performing a binary classiﬁcation and one

performing a multi-label classiﬁcation.

3.2.1 DNN-Based IDS

As a ﬁrst DL architecture, we consider a supervised

instance learning approach based on a DNN, with a

variable number of neurons in the hidden layer(s).

We consider two variants, one for binary classiﬁca-

tion and one for multi-label classiﬁcation.

Binary Classiﬁcation: we design the DNN-based

IDS for binary classiﬁcation with an input layer, a

hidden layer, and an output layer. We consider a Rec-

tiﬁed Linear Unit (ReLU) as activation function in the

input and hidden layers, while we use a sigmoid in the

output layer.

Multi-Label Classiﬁcation: we design the multi-

label version with an additional hidden layer with re-

spect to the binary version, and also three dropout lay-

ers placed after the input and each hidden layer to re-

duce the possibility of overﬁtting. We consider the

ReLU as activation function in the input and hidden

layers, and a softmax function in the output later.

3.2.2 CNN-Based IDS

As a second DL architecture, we consider a super-

vised instance learning approach based on a CNN,

with a variable number of neurons in the hidden

layer(s). We consider two variants, one for binary

classiﬁcation and one for multi-label classiﬁcation.

Binary Classiﬁcation: we design the CNN-based

IDS for binary classiﬁcation with an input layer, a

one-dimensional convolutional layer, a sub-sampling

layer, and a fully-connected layer. In the convolu-

tional layer we consider stride=1 and padding=0. We

used average-pooling instead of max-pooling as the

sub-sampling-layer to have a more uniform sampling

of the output coming from the convolutional layer. We

used the sigmoid as activation function in the output

layer.

Multi-Label Classiﬁcation: we design the multi-

label version by considering an input layer, two one-

dimensional convolutional layers, a sub-sampling

layer, two fully-connected layers, and an output layer.

We used the ReLU as activation function in the con-

volutional layers and a softmax in the output layer.

3.2.3 RNN-Based IDS

As a third DL architecture, we consider a supervised

sequence learning approach based on a RNN, with

a variable number of neurons in the hidden layer(s).

We consider two variants, one for binary classiﬁca-

tion and one for multi-label classiﬁcation.

Binary Classiﬁcation: we design the RNN-based

IDS for binary classiﬁcation by considering a LSTM

model with an input layer, an LSTM layer, a dropout

layer, and a fully-connected layer. We use a sigmoid

activation function in the output layer.

Multi-Label Classiﬁcation: we design the multi-

label version starting from the same architecture as

the one for binary classiﬁcation and increasing the

number of neurons in the LSTM layer.

3.3 Adaptive Architecture Optimization

In this step we perform the optimization of the con-

sidered architectures to ensure the adaptability of the

DL-based models to the different conditions. For all

the architectures considered in this work, we consider

hidden layers with a variable size and use a hyperpa-

rameter tuning method to automatically optimize the

number of neurons in the hidden layers, adding the

capability of the considered architectures to adapt to

different conditions. In particular, we perform the op-

timization of the hyperparameters by tuning the num-

ber of units in hidden layers and the learning rate us-

ing the Hyperband method. We chose this method

SECRYPT 2023 - 20th International Conference on Security and Cryptography

270

Table 1: CSE-CIC-IDS-2018 dataset: size and number of

rows for the 4 CSV ﬁles.

Filename Size [MB] N. rows

02-15-2018 358.53 1,048,575

02-16-2018 318.26 1,048,575

02-20-2018 3867.08 7,948,748

02-21-2018 313.66 1,048,575

Total 4,858 11,094,473

Table 2: CSE-CIC-IDS-2018 dataset: number of rows de-

scribing normal and malicious trafﬁc.

Trafﬁc type

Rows

# %

Normal 9,176,239 82.7

Malicious 1,918,233 17.3

since it allows a good trade-off between times, re-

sources and results.

After optimizing the number of neurons and tun-

ing the learning rate, we train the models considering

a binary cross entropy loss function in the case of bi-

nary classiﬁcation, while we considered a categorical

cross entropy in multi-label classiﬁcation.

4 DATASETS

In this work we consider two recent datasets, CSE-

CIC-IDS-2018 and CIC-DDoS-2019, both developed

by the Canadian Institute for Cybersecurity (CIC) of

the University of New Brunswick (CIC, 2018; CIC,

2019). We chose these two datasets since the datasets

released by CIC are among the most used in the lit-

erature and are representative of real network trafﬁc

us¸bas¸ et al., 2021).

CSE-CIC-IDS-2018: from the CSE-CIC-IDS-2018

dataset, we select the parts describing DDoS trafﬁc

and normal trafﬁc. As a result, we obtain 4 ﬁles,

with each ﬁle having 84 columns, 7 of which de-

scribe socket-related features (Flow ID, Source IP,

Source Port, Destination IP, Destination Port, Pro-

tocol and Timestamp). The resulting dataset de-

scribes 7 types of DDoS attacks, namely GoldenEye,

Slowloris, Hulk, SlowHTTPTest, LOIC-HTTP, HOIC,

LOIC-UDP. Table 1 presents an overview of the ﬁles

in the dataset, along with the number of rows in each

ﬁle, while Table 2 outlines the percentage of rows be-

longing to normal and malicious trafﬁc.

CIC-DDoS-2019: the CIC-DDoS-2019 dataset con-

sists of 18 ﬁles, divided into training and testing

folders. Each ﬁle contains 87 feature columns: the

ﬁrst 80 columns contains features extracted with CI-

Table 3: CIC-DDoS-2019 dataset: size and number of rows

for the 18 CSV ﬁles.

Filename Size [MB] N. rows

train/DrDoS LDAP 874.81 2,181,542

train/DrDoS MSSQL 1801.66 4,524,498

train/DrDoS NetBIOS 1618.84 4,094,986

train/DrDoS SNMP 2071.93 5,161,377

train/DrDoS SSDP 1194.65 2,611,374

train/DrDoS UDP 1436.27 3,136,802

train/UDPLag 150.65 370,605

train/Syn 607.79 1,582,681

train/TFTP 8871.09 20,107,827

train/DrDoS

DNS 2034.48 5,074,413

train/DrDoS NTP 615.13 1,217,007

test/Portmap87f 74.97 191,694

test/NetBIOS 1352.76 3,455,899

test/LDAP87f 831.03 2,113,234

test/MSSQL 2275.68 5,775,786

test/UDP 1709.74 3,782,206

test/UDPLag87f 304.98 725,165

test/Syn 1790.40 4,320,541

Total 29616.86 70,427,637

Table 4: CIC-DDoS-2019 dataset: number of rows describ-

ing normal and malicious trafﬁc.

Trafﬁc type

Rows

# %

Normal 113,828 0.16

Malicious 70,313,809 99.84

CFlowMeter (Lashkari et al., 2017), while the re-

maining 7 columns contain socket-related features

(Flow ID, Source IP, Source Port, Destination IP,

Destination Port, Protocol and Timestamp). The

dataset describes 18 types of attacks, including

reﬂection- and exploitation-based attacks: DrDoS-

LDAP, DrDoS-MSSQL, DrDoS-NetBIOS, DrDoS-

NMP, DrDoS-SSDP, DrDoS-UDP, UDP-lag, WebD-

DoS, Syn, TFTP, DrDoS-DNS, DrDoS-NTP, Portmap,

NetBIOS, LDAP, MSSQL, UDP, and UDPLag. Ta-

ble 3 presents an overview of the ﬁles in the dataset,

along with the number of rows in each ﬁle. The ma-

jority of the rows in the dataset belong to malicious

trafﬁc, with > 99% of data describing attacks, as out-

lined in Table 4.

5 EXPERIMENTS

In this section we present the experimental evaluation

of our methodology by describing the output of the

data preprocessing step and the accuracy results. In

Anomaly-Based Intrusion Detection System for DDoS Attack with Deep Learning Techniques

271

Table 5: Result of preprocessing on the CSE-CIC-IDS-2018 dataset.

Filename

N. rows Duplicates

N. inf N. NaN

N. rows

(initial) # % (ﬁnal)

02-15-2018.csv 1,048,575 253,000 24.13 979 547 795,028

02-16-2018.csv 1,048,575 456,701 43.55 0 0 591,874

02-20-2018.csv 7,948,748 2,511,282 31.59 2,146 1,200 5.436,266

02-21-2018.csv 1,048,575 487,179 46.46 0 0 561,396

Total 11,094,473 3,708,162 33.42 3,125 1.747 7,384,564

Table 6: Result of preprocessing on the CIC-DDoS-2019 dataset.

Filename

N. rows Duplicates

N. inf N. NaN

N. rows

(initial) # % (ﬁnal)

train/DrDoS LDAP 2,181,542 2,150,051 98.56 2,480 10 31,491

train/DrDoS MSSQL 4,524,498 4,315,627 95.38 26,715 9 208,871

train/DrDoS NetBIOS 4,094,986 4,073,870 99.48 2,968 8 21,116

train/DrDoS SNMP 5,161,377 5,045,899 97.76 4,135 11 115,478

train/DrDoS SSDP 2,611,374 1,719,417 65.84 1,538 2 891,957

train/DrDoS UDP 3,136,802 2,059,422 65.65 1,401 7 1,077,380

train/UDPLag 370,605 277,586 74.90 68 2 93,019

train/Syn 1,582,681 1,426,794 90.15 30 6 155,887

train/TFTPsv 20,107,827 15,688,113 78.02 210 22 4,419,714

train/DrDoS DNS 5,074,413 4,958,122 97.71 10,146 22 116,291

train/DrDoS NTP 1,217,007 90,774 7.46 225 25 1,126,233

test/Portmap87f 191,694 185,605 96.82 143 1 6,089

test/NetBIOS 3,455,899 3,444,578 99.67 397 3 11,321

test/LDAP87f 2,113,234 2,089,308 98.87 2,911 7 23,926

test/MSSQL 5,775,786 5,501,052 95.24 36,281 5 274,734

test/UDP 3,782,206 2,484,620 65.69 2,286 2 1,297,586

test/UDPLag87f 725,165 585,350 80.72 163 3 139,815

test/Syn 4,320,541 3,840,392 88.89 346 16 480,149

Total 70,427,637 59,936,580 85.10 92,443 161 10,491,057

particular, for each DL model and variant we report

the error measures on the considered datasets and the

corresponding number of parameters obtained as a re-

sult of automatically adapting the number of neurons

in the hidden layers.

We performed the experiments using Google Co-

lab+, with GPU enabled and RAM set as “high”, us-

ing python with libraries Dask, Pandas, Keras, and

Sci-Kit Learn.

5.1 Data Preprocessing

We apply the data preprocessing procedure described

in Section 3.1 to the CSE-CIC-IDS-2018 and CIC-

DDoS-2019 datasets. In particular, in the data clean-

ing step we removed 17 columns from CSE-CIC-IDS-

2018:

• 7 socket-related features: Flow ID, Src IP, Src

Port, Dst IP, Dst Port, Protocol, Timestamp;

• 10 features containing only zeros: Bwd PSH

Flags, Fwd URG Flags, Bwd URG Flags, CWE

Flag Count, Fwd Byts/b Avg, Fwd Pkts/b Avg,

Fwd Blk Rate Avg, Bwd Byts/b Avg, Bwd Pkts/b

Avg, Bwd Blk Rate Avg.

and removed 20 columns from CIC-DDoS-2019:

• 8 socket-related features: Flow ID, SourceIP,

SourcePort, DestinationIP, DestinationPort, Pro-

tocol, Timestamp, SimillarHTTP;

• 12 features containing only zeros: Bwd PSH

Flags, Fwd URG Flags, Bwd URG Flags, FIN

Flag Count, PSH Flag Count, ECE Flag Count,

Fwd Avg Bytes/Bulk, Fwd Avg Packets/Bulk,

Fwd Avg Bulk Rate, Bwd Avg Bytes/Bulk, Bwd

Avg Packets/Bulk and Bwd Avg Bulk Rate.

At the end of the preprocessing phase, we reduced

the CIC-IDS-2018 dataset from 11 to 7 million rows

and from 84 to 56 columns, while we reduced the

CIC-DDoS-2019 dataset from 70 to 10 million rows

SECRYPT 2023 - 20th International Conference on Security and Cryptography

272

Table 7: Accuracy results of the proposed anomaly-based IDS using DL.

Dataset

Class.

Model

N. Accuracy Recall Precision F1-score

variant param. (%) (%) (%) (%)

CSE-CIC-IDS-2018

Binary

DNN 2,977 99.80 99.80 99.80 99.80

CNN 8,065 99.33 99.33 99.34 99.33

RNN 12,705 99.78 99.78 99.78 99.78

Multi-label

DNN 11,608 99.79 99.79 99.79 99.78

CNN 12,616 99.78 99.78 99.78 99.77

RNN 25,832 98.59 98.59 98.57 98.53

CIC-DDoS-2019

Binary

DNN 5,185 99.95 99.95 99.95 99.95

CNN 9,537 99.88 99.88 99.89 99.88

RNN 12,705 99.80 99.80 99.81 99.80

Multi-label

DNN 17,183 77.41 77.41 77.52 71.78

CNN 19,135 77.29 77.29 77.56 71.65

RNN 71,687 73.52 73.52 64.52 66.55

(a) DNN (b) CNN (c) RNN

Figure 2: Confusion matrices for the proposed DNN, CNN, and RNN models, using binary classiﬁcation on the CSE-CIC-

IDS-2018 dataset.

and from 87 to 57 columns. Table 5 and Table 6

outline the results of the preprocessing phase on the

CIC-IDS-2018 and CIC-DDoS-2019 datasets, respec-

tively.

5.2 Results

First, we train and evaluate the models on the CSE-

CIC-IDS-2018 dataset with a fewer number (7) of la-

bels, then on the CIC-DDoS-2019 dataset with more

(18) labels. We evaluate the performance of the pro-

posed models in terms of accuracy, precision, recall,

and F1-score, considering 70% of data for training

and 30% for testing.

Table 7 shows the accuracy results of the proposed

methodology, for the two datasets considered, the two

classiﬁcation variants (binary and multi-label), and

the three models (DNN, CNN, RNN). From the table,

it is possible to observe that, in the case of binary clas-

siﬁcation, all the models exhibit a high performance

on the considered datasets (> 99% in all considered

metrics). In particular, the DNN model achieves the

best performance, with 99.80% and 99.95% accu-

racy on the CSE-CIC-IDS-2018 and CIC-DDoS-2019

datasets, respectively. However, when using the CIC-

DDoS-2019 dataset the models exhibit an increased

number of parameters. This is caused by the algo-

rithm for hyperparameter tuning that increases the

number of neurons in hidden layers to cope with the

increased complexity of the CIC-DDoS-2019 dataset,

which has more classes with respect to CSE-CIC-

IDS-2018. Figure 2 and Figure 3 present the confu-

sion matrices for the proposed models using binary

classiﬁcation on the CSE-CIC-IDS-2018 and CIC-

DDoS-2019 datasets, respectively. The ﬁgures show

the high accuracy obtained when considering binary

classiﬁcation.

In the case of multi-label classiﬁcation, the mod-

els evaluated on the CSE-CIC-IDS-2018 dataset per-

form similarly to the binary classiﬁcation case, at the

cost of signiﬁcantly increasing the number of param-

eters. However, when evaluating the multi-label clas-

Anomaly-Based Intrusion Detection System for DDoS Attack with Deep Learning Techniques

273

(a) DNN (b) CNN (c) RNN

Figure 3: Confusion matrices for the proposed DNN, CNN, and RNN models, using binary classiﬁcation on the CIC-DDoS-

2019 dataset.

siﬁcation models on the CIC-DDoS-2019 dataset, we

can observe a decrease in performance, with < 80%

in all considered metrics. The result is caused by the

combined complexity of a multi-label classiﬁcation

with a more complex dataset with respect to CSE-

CIC-IDS-2018.

However, it is worth noting that the CIC-DDoS-

2019 dataset exhibits characteristics that limit the

classiﬁcation accuracy obtainable on the dataset. For

example, the dataset contains classes with few rep-

resentative samples and attacks which have a strong

semantic similarity but are classiﬁed with separate

labels (Ferrag et al., 2021; Chartuni and M

arquez,

2021).

6 CONCLUSIONS

In this paper we proposed a simulation of anomaly-

based IDS using Deep Learning (DL) techniques,

by considering three different models (DNN, CNN,

RNN) trained and tested on two datasets with an

increasing level of complexity (CSE-CIC-IDS-2018

and CIC-DDoS-2019) and considering two classiﬁca-

tion variants (binary and multi-label). To evaluate the

capability of the considered architectures to adapt to

different conditions, we considered adaptive architec-

tures with a variable number of neurons in the hidden

layers. Then, we automatically tuned the number of

neurons in each hidden layer based on the considered

dataset and the type of classiﬁcation.

The results shows how, in the case of binary clas-

siﬁcation, it was possible to obtain consistently high

performance (> 99%) in both datasets, at the cost of

an increased number of parameters when consider-

ing the more complex dataset. Overall, in our ex-

periments the DNN model achieved the best perfor-

mance. However, in the case of multi-label classiﬁca-

tion, we obtained satisfactory results only on the sim-

plest dataset, highlighting the need for more complex

architectures when considering complex datasets.

Future works will consider hyperparameter tun-

ing algorithms with an increased search space and

methods based on neural architecture search to design

more complex adaptive architectures.

ACKNOWLEDGEMENTS

This work was supported in part by the EC un-

der projects EdgeAI (101097300), GLACIATION

(101070141), and MARSAL (101017171), and by the

Italian MUR under project SERICS (PE00000014)

under the NRRP MUR program funded by the EU -

NGEU. We also thank the NVIDIA Corporation for

the GPU donated. Views and opinions expressed are

however those of the authors only and do not nec-

essarily reﬂect those of the European Union or the

Italian MUR. Neither the European Union nor Italian

MUR can be held responsible for them.

REFERENCES

Alasadi, S. A. and Bhaya, W. S. (2017). Review of data pre-

processing techniques in data mining. Journal of En-

gineering and Applied Sciences, 12(16):4102–4107.

Amaizu, G. C., Nwakanma, C. I., Bhardwaj, S., Lee, J., and

Kim, D.-S. (2021). Composite and efﬁcient DDoS at-

tack detection framework for B5G networks. Com-

puter Networks, 188:107871.

Asad, M., Asim, M., Javed, T., Beg, M. O., Mujtaba, H.,

and Abbas, S. (2020). Deepdetect: detection of dis-

tributed denial of service attacks using deep learning.

The Computer Journal, 63(7):983–994.

Assis, M. V., Carvalho, L. F., Lloret, J., and Proenc¸a Jr.,

M. L. (2021). A GRU deep learning system against

SECRYPT 2023 - 20th International Conference on Security and Cryptography

274

attacks in software deﬁned networks. Journal of Net-

work and Computer Applications, 177:102942.

Bhardwaj, A., Mangat, V., and Vig, R. (2020). Hyperband

tuned deep neural network with well posed stacked

sparse autoencoder for detection of DDoS attacks in

cloud. IEEE Access, 8:181916–181929.

Chartuni, A. and M

arquez, J. (2021). Multi-classiﬁer of

DDoS attacks in computer networks built on neural

networks. Applied Sciences, 11(22):10609.

CIC (2018). Cse-cic-ids-2018.

https://www.unb.ca/cic/datasets/ids-2018.html.

CIC (2019). Cic-ddos-2019.

https://www.unb.ca/cic/datasets/ddos-2019.html.

Cil, A. E., Yildiz, K., and Buldu, A. (2021). Detection

of DDoS attacks with feed forward based deep neu-

ral network model. Expert Systems with Applications,

169:114520.

de Assis, M. V., Carvalho, L. F., Rodrigues, J. J., Lloret,

J., and Proenc¸a Jr, M. L. (2020). Near real-time secu-

rity system applied to SDN environments in IoT net-

works using convolutional neural network. Computers

& Electrical Engineering, 86:106738.

Doriguzzi-Corin, R., Millar, S., Scott-Hayward, S.,

Martinez-del Rincon, J., and Siracusa, D. (2020). LU-

CID: A practical, lightweight deep learning solution

for DDoS attack detection. IEEE Trans. on Network

and Service Management, 17(2):876–889.

Elsayed, M. S., Le-Khac, N.-A., Dev, S., and Jurcut, A. D.

(2020). DDoSNet: A deep-learning model for detect-

ing network attacks. In Proc. of the 2020 IEEE 21st

Int. Symp. on ”A World of Wireless, Mobile and Mul-

timedia Networks” (WoWMoM), pages 391–396.

Ferrag, M. A., Shu, L., Djallel, H., and Choo, K.-K. R.

(2021). Deep learning-based intrusion detection for

distributed denial of service attack in agriculture 4.0.

Electronics, 10(11).

us¸bas¸, D., Yıldırım, T., Genovese, A., and Scotti,

F. (2021). A comprehensive survey of databases

and deep learning methods for cybersecurity and in-

trusion detection systems. IEEE Systems Journal,

15(2):1717–1731.

Haider, S., Akhunzada, A., Mustafa, I., Patel, T. B., Fernan-

dez, A., Choo, K.-K. R., and Iqbal, J. (2020). A deep

CNN ensemble framework for efﬁcient DDoS attack

detection in software deﬁned networks. IEEE Access,

8:53972–53983.

Kasim,

O. (2020). An efﬁcient and robust deep learn-

ing based network anomaly detection against dis-

tributed denial of service attacks. Computer Networks,

180:107390.

Kim, J., Kim, J., Kim, H., Shim, M., and Choi,

E. (2020). CNN-based network intrusion detec-

tion against denial-of-service attacks. Electronics,

9(6):916.

Lashkari, A. H., Draper-Gil, G., Mamun, M. S. I., Ghor-

bani, A. A., et al. (2017). Characterization of tor traf-

ﬁc using time based features. In Proc. of the 3rd Int.

Conf. on Information Systems Security and Privacy

(ICISSP), pages 253–262.

Liang, X. and Znati, T. (2019). A long short-term mem-

ory enabled framework for DDoS detection. In

Proc. of the 2019 IEEE Global Communications Conf.

(GLOBECOM), pages 1–6.

Minka, T. (2000). Automatic choice of dimensionality for

PCA. In Leen, T., Dietterich, T., and Tresp, V., editors,

Advances in Neural Information Processing Systems,

volume 13.

Mittal, M., Kumar, K., and Behal, S. (2022). Deep learning

approaches for detecting DDoS attacks: A systematic

review. Soft Computing, pages 1–37.

Roopak, M., Tian, G. Y., and Chambers, J. (2020). An

intrusion detection system against DDoS attacks in

IoT networks. In Proc. of the 2020 10th Annual

Computing and Communication Workshop and Conf.

(CCWC), pages 0562–0567.

Roopak, M., Yun Tian, G., and Chambers, J. (2019). Deep

learning models for cyber security in IoT networks.

In Proc. of the 2019 IEEE 9th Annual Computing and

Communication Workshop and Conf. (CCWC), pages

0452–0457.

Sabeel, U., Heydari, S. S., Mohanka, H., Bendhaou, Y., El-

gazzar, K., and El-Khatib, K. (2019). Evaluation of

deep learning in detecting unknown network attacks.

In Proc. of the 2019 Int. Conf. on Smart Applications,

Communications and Networking (SmartNets), pages

1–6.

Sbai, O. and El boukhari, M. (2020). Data ﬂooding intru-

sion detection system for MANETs using deep learn-

ing approach. In Proc. of the 13th Int. Conf. on In-

telligent Systems: Theories and Applications (SITA).

Association for Computing Machinery.

Srikanth Yadav., M. and Kalpana., R. (2019). Data prepro-

cessing for intrusion detection system using encoding

and normalization approaches. In Proc. of the 2019

11th Int. Conf. on Advanced Computing (ICoAC),

pages 265–269.

Wang, L. and Liu, Y. (2020). A DDoS attack detection

method based on information entropy and deep learn-

ing in SDN. In Proc. of the 2020 IEEE 4th Information

Technology, Networking, Electronic and Automation

Control Conf. (ITNEC), pages 1084–1088.

Anomaly-Based Intrusion Detection System for DDoS Attack with Deep Learning Techniques

275