ICCK Transactions on Information Security and Cryptography Home About Editors Current Issue
  1. Home
  2. Journals
  3. ICCK Transactions on Information Security and Cryptography
  4. Volume 2, Issue 1
A Resource-Efficient Machine Learning Pipeline for DDoS Attack Detection: A Comparative Study on CIC-IDS2018 and CIC-DDoS2019
Research Article | Published: 11 February 2026
ICCK Transactions on Information Security and Cryptography Volume 2, Issue 1, 2026: 55-69
Volume 2, Issue 1, ICCK Transactions on Information Security and Cryptography
Volume 2, Issue 1, 2026
Submit Manuscript Edit a Special Issue
Article QR Code
Article QR Code
Scan the QR code for reading
Popular articles
Case Studies on Integrating Artificial Intelligence in Finance to Transform Decision Making and Risk Management for Enhanced Financial Outcomes Reservoir Science: A Multi-Coupling Communication Platform to Promote Energy Transformation, Climate Change and Environmental Protection Reinforcement Learning for Prompt Optimization in Language Models: A Comprehensive Survey of Methods, Representations, and Evaluation Challenges AI and the Future of Education: Advancing Personalized Learning and Intelligent Tutoring Systems From CO$_2$ Sequestration to Hydrogen Storage: Further Utilization of Depleted Gas Reservoirs Effects of Crosslinking Agents and Reservoir Conditions on the Propagation of Fractures in Coal Reservoirs During Hydraulic Fracturing The Influence of Geological Factors and Transmission Fluids on the Exploitation of Reservoir Geothermal Resources: Factor Discussion and Mechanism Analysis Plant Disease Detection Using Deep Learning Techniques Modeling Brain Functional Networks Using Graph Neural Networks: A Review and Clinical Application YOLOv8-Lite: A Lightweight Object Detection Model for Real-time Autonomous Driving Systems
ICCK Transactions on Information Security and Cryptography, Volume 2, Issue 1, 2026: 55-69

Free to Read | Research Article | 11 February 2026
A Resource-Efficient Machine Learning Pipeline for DDoS Attack Detection: A Comparative Study on CIC-IDS2018 and CIC-DDoS2019
by
Nisar Ahmed Nisar Ahmed 1 *
Gulshan Saleem Gulshan Saleem 2
Asim Naveed Asim Naveed 3
Muhammad Imran Zaman Muhammad Imran Zaman 4
1 Department of Informatics and Systems, University of Management and Technology Lahore, Pakistan
2 Faculty of Information Technology and Computer Science, University of Central Punjab, Lahore, Pakistan
3 Department of Computer Science (FSD Campus), University of Engineering and Technology Lahore, Pakistan
4 Sparkverse AI Ltd, Bradford BD1, United Kingdom
* Corresponding Author: Nisar Ahmed, [email protected]
DOI: 10.62762/TISC.2025.438083
ARK: ark:/57805/tisc.2025.438083
Received: 13 December 2025, Accepted: 20 January 2026, Published: 11 February 2026  
   PDF  (4.08 MB)
Article Metrics Cite This Article
Abstract
Distributed Denial of Service attacks remain a critical threat to modern networked systems due to their scale, diversity and evolving attack strategies. Although machine learning and deep learning techniques have been widely explored for DDoS detection, many existing studies rely on inconsistent preprocessing pipelines, single-dataset evaluations and limited reproducibility. This work proposes a unified and resource efficient detection framework that addresses these challenges through systematic data handling and transparent model evaluation. The proposed pipeline integrates data cleaning, memory optimization, class balancing and hybrid feature engineering that combines linear, tree-based, statistical and information-theoretic selection methods. Classical machine learning models and a one-dimensional convolutional neural network (CNN) are evaluated on two widely used benchmark datasets, CIC-IDS2018 and CIC-DDoS2019, under a leakage-free experimental protocol. Principal Component Analysis is further examined as an optional dimensionality reduction technique. Experimental results show that Random Forest and the CNN achieve strong and consistent performance across both datasets, with hybrid feature selection improving accuracy while reducing dimensionality. The findings demonstrate that careful preprocessing and feature engineering enable classical models to perform competitively with deep learning approaches while maintaining lower computational cost. The study emphasizes reproducibility, efficiency and practical deployability, providing a robust baseline for future DDoS detection research and real-world intrusion detection systems.
Graphical Abstract
A Resource-Efficient Machine Learning Pipeline for DDoS Attack Detection: A Comparative Study on CIC-IDS2018 and CIC-DDoS2019
Keywords
distributed denial of service
DDoS detection
network intrusion detection
machine learning
deep learning
feature selection
class imbalance
CIC-IDS2018
CIC-DDoS2019
Data Availability Statement
The data supporting the findings of this study are publicly available. The CIC-IDS2018 network traffic dataset is provided by the Canadian Institute for Cybersecurity and can be accessed at https://www.unb.ca/cic/datasets/ids-2017.html. In addition, the CIC-DDoS2019 dataset is publicly available at https://www.unb.ca/cic/datasets/ddos-2019.html.
Funding
This work was supported without any funding.
Conflicts of Interest
Muhammad Imran Zaman is affiliated with the Sparkverse AI Ltd, Bradford BD1, United Kingdom. The authors declare that this affiliation had no influence on the study design, data collection, analysis, interpretation, or the decision to publish, and that no other competing interests exist.
AI Use Statement
The authors declare that AI-assisted tools were used solely for language and grammatical refinement of the manuscript. Specifically, Grammarly Pro was employed to improve grammar, clarity, and language quality. No generative AI tools were used to create, modify, or analyze the scientific content, data, or conclusions of this study.
Ethical Approval and Consent to Participate
Not applicable.
References
  1. Wang, H., & Li, W. (2021). DDosTC: A transformer-based network attack detection hybrid mechanism in SDN. Sensors, 21(15), 5047.
    [CrossRef]   [Google Scholar]
  2. Alshehri, M. S., Saidani, O., Al Malwi, W., Asiri, F., Latif, S., Khattak, A. A., & Ahmad, J. (2025). A Hybrid Wasserstein GAN and Autoencoder Model for Robust Intrusion Detection in IoT. Computer Modeling in Engineering & Sciences. http://dx.doi.org/10.32604/cmes.2025.064874
    [Google Scholar]
  3. Naeem, A., Khan, M. A., Alasbali, N., Ahmad, J., Khattak, A. A., & Khan, M. S. (2025). Efficient IoT Intrusion Detection with an Improved Attention-Based CNN-BiLSTM Architecture. arXiv preprint arXiv:2503.19339.
    [Google Scholar]
  4. Afifi, H., Pochaba, S., Boltres, A., Laniewski, D., Haberer, J., Paeleke, L., ... & Seufert, M. (2024). Machine learning with computer networks: techniques, datasets, and models. IEEE access, 12, 54673-54720.
    [CrossRef]   [Google Scholar]
  5. Pasupathi, S., Kumar, R., & Pavithra, L. K. (2025). Proactive DDoS detection: integrating packet marking, traffic analysis, and machine learning for enhanced network security. Cluster Computing, 28(3), 210.
    [CrossRef]   [Google Scholar]
  6. Kamarudin, M. H., Maple, C., & Watson, T. (2019). Hybrid feature selection technique for intrusion detection system. International Journal of High Performance Computing and Networking, 13(2), 232-240.
    [CrossRef]   [Google Scholar]
  7. Prasad, A., & Chandra, S. (2022). VMFCVD: an optimized framework to combat volumetric DDoS attacks using machine learning. Arabian Journal for Science and Engineering, 47(8), 9965-9983.
    [CrossRef]   [Google Scholar]
  8. Al-Na’amneh, Q., Aljaidi, M., Nasayreh, A., Gharaibeh, H., Al Mamlook, R. E., Jaradat, A. S., ... & Samara, G. (2024). Enhancing IoT device security: CNN-SVM hybrid approach for real-time detection of DoS and DDoS attacks. Journal of Intelligent Systems, 33(1), 20230150.
    [CrossRef]   [Google Scholar]
  9. Songma, S., Sathuphan, T., & Pamutha, T. (2023). Optimizing intrusion detection systems in three phases on the CSE-CIC-IDS-2018 dataset. Computers, 12(12), 245.
    [CrossRef]   [Google Scholar]
  10. Kiourkoulis, S., & Awad, A. I. (2020). DDoS datasets: Use of machine learning to analyse intrusion detection performance [Student thesis, Luleå University of Technology]. DiVA portal. http://urn.kb.se/resolve?urn=urn:nbn:se:ltu:diva-78980
    [Google Scholar]
  11. Longjohn, R., Kelly, M., Singh, S., & Smyth, P. (2024, December). Benchmark data repositories for better benchmarking. In Proceedings of the 38th International Conference on Neural Information Processing Systems (pp. 86435-86457).
    [Google Scholar]
  12. Sayegh, H. R., Dong, W., & Al-madani, A. M. (2024). Enhanced intrusion detection with LSTM-based model, feature selection, and SMOTE for imbalanced data. Applied Sciences, 14(2), 479.
    [CrossRef]   [Google Scholar]
  13. Ghani, H., Salekzamankhani, S., & Virdee, B. (2023). A hybrid dimensionality reduction for network intrusion detection. Journal of Cybersecurity and Privacy, 3(4), 830-843.
    [CrossRef]   [Google Scholar]
  14. Natha, S., Ahmed, F., Siraj, M., Lagari, M., Altamimi, M., & Chandio, A. A. (2025). Deep BiLSTM attention model for spatial and temporal anomaly detection in video surveillance. Sensors, 25(1), 251.
    [CrossRef]   [Google Scholar]
  15. Baye, G., Silva, P., Broggi, A., Fiondella, L., Bastian, N. D., & Kul, G. (2023, May). Performance analysis of deep-learning based open set recognition algorithms for network intrusion detection systems. In NOMS 2023-2023 IEEE/IFIP Network Operations and Management Symposium (pp. 1-6). IEEE.
    [CrossRef]   [Google Scholar]
  16. Almazroi, A. A. (2024). Enhanced Adaptive Hybrid Convolutional Transformer Network for Malware Detection in IoT. International Journal of Advanced Computer Science & Applications, 15(11).
    [CrossRef]   [Google Scholar]
  17. Haqmal, R., Safi, M. W., & Mohammad, F. (2026). Enhancing Security in Software-Defined Networks Using Artificial Intelligence Techniques. Journal of Advanced Computer Knowledge and Algorithms, 3(1), 37-54.
    [CrossRef]   [Google Scholar]
  18. Kamaruddin, A., & Chin, T. S. (2025, August). An Enhanced Learning Voting-Based Framework for Time-Efficient DDoS Detection with Dataset Consistency in SDN-IoT Enabled Smart Homes. In International Conference on Mobile Web and Intelligent Information Systems (pp. 144-158). Cham: Springer Nature Switzerland.
    [CrossRef]   [Google Scholar]
  19. Shukla, A. K., & Sharma, A. (2025, September). A Hybrid Machine Learning and Large Language Model Framework for Real-Time DDos Detection and Mitigation With Explainability. In 2025 7th International Conference on Information Systems and Computer Networks (ISCON) (pp. 1-5). IEEE.
    [CrossRef]   [Google Scholar]
  20. Sathaporn, P., Krungseanmuang, W., Chaowalittawin, V., Benjangkaprasert, C., & Purahong, B. (2025). DDoS detection using a hybrid CNN–RNN model enhanced with multi-head attention for cloud infrastructure. Applied Sciences, 15(21), 11567.
    [CrossRef]   [Google Scholar]
Cite This Article
APA Style
Ahmed, N., Saleem, G., Naveed, A., & Zaman, M. I. (2026). A Resource-Efficient Machine Learning Pipeline for DDoS Attack Detection: A Comparative Study on CIC-IDS2018 and CIC-DDoS2019. ICCK Transactions on Information Security and Cryptography, 2(1), 55–69. https://doi.org/10.62762/TISC.2025.438083
Export Citation
RIS Format
Compatible with EndNote, Zotero, Mendeley, and other reference managers
RIS format data for reference managers
TY  - JOUR
AU  - Ahmed, Nisar
AU  - Saleem, Gulshan
AU  - Naveed, Asim
AU  - Zaman, Muhammad Imran
PY  - 2026
DA  - 2026/02/11
TI  - A Resource-Efficient Machine Learning Pipeline for DDoS Attack Detection: A Comparative Study on CIC-IDS2018 and CIC-DDoS2019
JO  - ICCK Transactions on Information Security and Cryptography
T2  - ICCK Transactions on Information Security and Cryptography
JF  - ICCK Transactions on Information Security and Cryptography
VL  - 2
IS  - 1
SP  - 55
EP  - 69
DO  - 10.62762/TISC.2025.438083
UR  - https://www.icck.org/article/abs/TISC.2025.438083
KW  - distributed denial of service
KW  - DDoS detection
KW  - network intrusion detection
KW  - machine learning
KW  - deep learning
KW  - feature selection
KW  - class imbalance
KW  - CIC-IDS2018
KW  - CIC-DDoS2019
AB  - Distributed Denial of Service attacks remain a critical threat to modern networked systems due to their scale, diversity and evolving attack strategies. Although machine learning and deep learning techniques have been widely explored for DDoS detection, many existing studies rely on inconsistent preprocessing pipelines, single-dataset evaluations and limited reproducibility. This work proposes a unified and resource efficient detection framework that addresses these challenges through systematic data handling and transparent model evaluation. The proposed pipeline integrates data cleaning, memory optimization, class balancing and hybrid feature engineering that combines linear, tree-based, statistical and information-theoretic selection methods. Classical machine learning models and a one-dimensional convolutional neural network (CNN) are evaluated on two widely used benchmark datasets, CIC-IDS2018 and CIC-DDoS2019, under a leakage-free experimental protocol. Principal Component Analysis is further examined as an optional dimensionality reduction technique. Experimental results show that Random Forest and the CNN achieve strong and consistent performance across both datasets, with hybrid feature selection improving accuracy while reducing dimensionality. The findings demonstrate that careful preprocessing and feature engineering enable classical models to perform competitively with deep learning approaches while maintaining lower computational cost. The study emphasizes reproducibility, efficiency and practical deployability, providing a robust baseline for future DDoS detection research and real-world intrusion detection systems.
SN  - 3070-2429
PB  - Institute of Central Computation and Knowledge
LA  - English
ER  -
BibTeX Format
Compatible with LaTeX, BibTeX, and other reference managers
BibTeX format data for LaTeX and reference managers
@article{Ahmed2026A,
  author = {Nisar Ahmed and Gulshan Saleem and Asim Naveed and Muhammad Imran Zaman},
  title = {A Resource-Efficient Machine Learning Pipeline for DDoS Attack Detection: A Comparative Study on CIC-IDS2018 and CIC-DDoS2019},
  journal = {ICCK Transactions on Information Security and Cryptography},
  year = {2026},
  volume = {2},
  number = {1},
  pages = {55-69},
  doi = {10.62762/TISC.2025.438083},
  url = {https://www.icck.org/article/abs/TISC.2025.438083},
  abstract = {Distributed Denial of Service attacks remain a critical threat to modern networked systems due to their scale, diversity and evolving attack strategies. Although machine learning and deep learning techniques have been widely explored for DDoS detection, many existing studies rely on inconsistent preprocessing pipelines, single-dataset evaluations and limited reproducibility. This work proposes a unified and resource efficient detection framework that addresses these challenges through systematic data handling and transparent model evaluation. The proposed pipeline integrates data cleaning, memory optimization, class balancing and hybrid feature engineering that combines linear, tree-based, statistical and information-theoretic selection methods. Classical machine learning models and a one-dimensional convolutional neural network (CNN) are evaluated on two widely used benchmark datasets, CIC-IDS2018 and CIC-DDoS2019, under a leakage-free experimental protocol. Principal Component Analysis is further examined as an optional dimensionality reduction technique. Experimental results show that Random Forest and the CNN achieve strong and consistent performance across both datasets, with hybrid feature selection improving accuracy while reducing dimensionality. The findings demonstrate that careful preprocessing and feature engineering enable classical models to perform competitively with deep learning approaches while maintaining lower computational cost. The study emphasizes reproducibility, efficiency and practical deployability, providing a robust baseline for future DDoS detection research and real-world intrusion detection systems.},
  keywords = {distributed denial of service, DDoS detection, network intrusion detection, machine learning, deep learning, feature selection, class imbalance, CIC-IDS2018, CIC-DDoS2019},
  issn = {3070-2429},
  publisher = {Institute of Central Computation and Knowledge}
}
Article Metrics
Citations:

Google Scholar
0

Crossref

0

Scopus

0

Web of Science

0
Article Access Statistics:
Views: 39
PDF Downloads: 12
Publisher's Note
ICCK stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and Permissions
Institute of Central Computation and Knowledge (ICCK) or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
ICCK Transactions on Information Security and Cryptography

ICCK Transactions on Information Security and Cryptography

ISSN: 3070-2429 (Online)

Email: [email protected]

Portico

Portico

All published articles are preserved here permanently:
https://www.portico.org/publishers/icck/