A Resource-Efficient Machine Learning Pipeline for DDoS Attack Detection: A Comparative Study on CIC-IDS2018 and CIC-DDoS2019
Article Information
Abstract
Distributed Denial of Service attacks remain a critical threat to modern networked systems due to their scale, diversity and evolving attack strategies. Although machine learning and deep learning techniques have been widely explored for DDoS detection, many existing studies rely on inconsistent preprocessing pipelines, single-dataset evaluations and limited reproducibility. This work proposes a unified and resource efficient detection framework that addresses these challenges through systematic data handling and transparent model evaluation. The proposed pipeline integrates data cleaning, memory optimization, class balancing and hybrid feature engineering that combines linear, tree-based, statistical and information-theoretic selection methods. Classical machine learning models and a one-dimensional convolutional neural network (CNN) are evaluated on two widely used benchmark datasets, CIC-IDS2018 and CIC-DDoS2019, under a leakage-free experimental protocol. Principal Component Analysis is further examined as an optional dimensionality reduction technique. Experimental results show that Random Forest and the CNN achieve strong and consistent performance across both datasets, with hybrid feature selection improving accuracy while reducing dimensionality. The findings demonstrate that careful preprocessing and feature engineering enable classical models to perform competitively with deep learning approaches while maintaining lower computational cost. The study emphasizes reproducibility, efficiency and practical deployability, providing a robust baseline for future DDoS detection research and real-world intrusion detection systems.
Graphical Abstract
Keywords
Data Availability Statement
Funding
Conflicts of Interest
AI Use Statement
Ethical Approval and Consent to Participate
References
- Wang, H., & Li, W. (2021). DDosTC: A transformer-based network attack detection hybrid mechanism in SDN. Sensors, 21(15), 5047.
[CrossRef] [Google Scholar] - Alshehri, M. S., Saidani, O., Al Malwi, W., Asiri, F., Latif, S., Khattak, A. A., & Ahmad, J. (2025). A Hybrid Wasserstein GAN and Autoencoder Model for Robust Intrusion Detection in IoT. Computer Modeling in Engineering & Sciences. http://dx.doi.org/10.32604/cmes.2025.064874
[Google Scholar] - Naeem, A., Khan, M. A., Alasbali, N., Ahmad, J., Khattak, A. A., & Khan, M. S. (2025). Efficient IoT Intrusion Detection with an Improved Attention-Based CNN-BiLSTM Architecture. arXiv preprint arXiv:2503.19339.
[Google Scholar] - Afifi, H., Pochaba, S., Boltres, A., Laniewski, D., Haberer, J., Paeleke, L., ... & Seufert, M. (2024). Machine learning with computer networks: techniques, datasets, and models. IEEE access, 12, 54673-54720.
[CrossRef] [Google Scholar] - Pasupathi, S., Kumar, R., & Pavithra, L. K. (2025). Proactive DDoS detection: integrating packet marking, traffic analysis, and machine learning for enhanced network security. Cluster Computing, 28(3), 210.
[CrossRef] [Google Scholar] - Kamarudin, M. H., Maple, C., & Watson, T. (2019). Hybrid feature selection technique for intrusion detection system. International Journal of High Performance Computing and Networking, 13(2), 232-240.
[CrossRef] [Google Scholar] - Prasad, A., & Chandra, S. (2022). VMFCVD: an optimized framework to combat volumetric DDoS attacks using machine learning. Arabian Journal for Science and Engineering, 47(8), 9965-9983.
[CrossRef] [Google Scholar] - Al-Na’amneh, Q., Aljaidi, M., Nasayreh, A., Gharaibeh, H., Al Mamlook, R. E., Jaradat, A. S., ... & Samara, G. (2024). Enhancing IoT device security: CNN-SVM hybrid approach for real-time detection of DoS and DDoS attacks. Journal of Intelligent Systems, 33(1), 20230150.
[CrossRef] [Google Scholar] - Songma, S., Sathuphan, T., & Pamutha, T. (2023). Optimizing intrusion detection systems in three phases on the CSE-CIC-IDS-2018 dataset. Computers, 12(12), 245.
[CrossRef] [Google Scholar] - Kiourkoulis, S., & Awad, A. I. (2020). DDoS datasets: Use of machine learning to analyse intrusion detection performance [Student thesis, Luleå University of Technology]. DiVA portal. http://urn.kb.se/resolve?urn=urn:nbn:se:ltu:diva-78980
[Google Scholar] - Longjohn, R., Kelly, M., Singh, S., & Smyth, P. (2024, December). Benchmark data repositories for better benchmarking. In Proceedings of the 38th International Conference on Neural Information Processing Systems (pp. 86435-86457).
[Google Scholar] - Sayegh, H. R., Dong, W., & Al-madani, A. M. (2024). Enhanced intrusion detection with LSTM-based model, feature selection, and SMOTE for imbalanced data. Applied Sciences, 14(2), 479.
[CrossRef] [Google Scholar] - Ghani, H., Salekzamankhani, S., & Virdee, B. (2023). A hybrid dimensionality reduction for network intrusion detection. Journal of Cybersecurity and Privacy, 3(4), 830-843.
[CrossRef] [Google Scholar] - Natha, S., Ahmed, F., Siraj, M., Lagari, M., Altamimi, M., & Chandio, A. A. (2025). Deep BiLSTM attention model for spatial and temporal anomaly detection in video surveillance. Sensors, 25(1), 251.
[CrossRef] [Google Scholar] - Baye, G., Silva, P., Broggi, A., Fiondella, L., Bastian, N. D., & Kul, G. (2023, May). Performance analysis of deep-learning based open set recognition algorithms for network intrusion detection systems. In NOMS 2023-2023 IEEE/IFIP Network Operations and Management Symposium (pp. 1-6). IEEE.
[CrossRef] [Google Scholar] - Almazroi, A. A. (2024). Enhanced Adaptive Hybrid Convolutional Transformer Network for Malware Detection in IoT. International Journal of Advanced Computer Science & Applications, 15(11).
[CrossRef] [Google Scholar] - Haqmal, R., Safi, M. W., & Mohammad, F. (2026). Enhancing Security in Software-Defined Networks Using Artificial Intelligence Techniques. Journal of Advanced Computer Knowledge and Algorithms, 3(1), 37-54.
[CrossRef] [Google Scholar] - Kamaruddin, A., & Chin, T. S. (2025, August). An Enhanced Learning Voting-Based Framework for Time-Efficient DDoS Detection with Dataset Consistency in SDN-IoT Enabled Smart Homes. In International Conference on Mobile Web and Intelligent Information Systems (pp. 144-158). Cham: Springer Nature Switzerland.
[CrossRef] [Google Scholar] - Shukla, A. K., & Sharma, A. (2025, September). A Hybrid Machine Learning and Large Language Model Framework for Real-Time DDos Detection and Mitigation With Explainability. In 2025 7th International Conference on Information Systems and Computer Networks (ISCON) (pp. 1-5). IEEE.
[CrossRef] [Google Scholar] - Sathaporn, P., Krungseanmuang, W., Chaowalittawin, V., Benjangkaprasert, C., & Purahong, B. (2025). DDoS detection using a hybrid CNN–RNN model enhanced with multi-head attention for cloud infrastructure. Applied Sciences, 15(21), 11567.
[CrossRef] [Google Scholar]
Cite This Article
TY - JOUR AU - Ahmed, Nisar AU - Saleem, Gulshan AU - Naveed, Asim AU - Zaman, Muhammad Imran PY - 2026 DA - 2026/02/11 TI - A Resource-Efficient Machine Learning Pipeline for DDoS Attack Detection: A Comparative Study on CIC-IDS2018 and CIC-DDoS2019 JO - ICCK Transactions on Information Security and Cryptography T2 - ICCK Transactions on Information Security and Cryptography JF - ICCK Transactions on Information Security and Cryptography VL - 2 IS - 1 SP - 55 EP - 69 DO - 10.62762/TISC.2025.438083 UR - https://www.icck.org/article/abs/TISC.2025.438083 KW - distributed denial of service KW - DDoS detection KW - network intrusion detection KW - machine learning KW - deep learning KW - feature selection KW - class imbalance KW - CIC-IDS2018 KW - CIC-DDoS2019 AB - Distributed Denial of Service attacks remain a critical threat to modern networked systems due to their scale, diversity and evolving attack strategies. Although machine learning and deep learning techniques have been widely explored for DDoS detection, many existing studies rely on inconsistent preprocessing pipelines, single-dataset evaluations and limited reproducibility. This work proposes a unified and resource efficient detection framework that addresses these challenges through systematic data handling and transparent model evaluation. The proposed pipeline integrates data cleaning, memory optimization, class balancing and hybrid feature engineering that combines linear, tree-based, statistical and information-theoretic selection methods. Classical machine learning models and a one-dimensional convolutional neural network (CNN) are evaluated on two widely used benchmark datasets, CIC-IDS2018 and CIC-DDoS2019, under a leakage-free experimental protocol. Principal Component Analysis is further examined as an optional dimensionality reduction technique. Experimental results show that Random Forest and the CNN achieve strong and consistent performance across both datasets, with hybrid feature selection improving accuracy while reducing dimensionality. The findings demonstrate that careful preprocessing and feature engineering enable classical models to perform competitively with deep learning approaches while maintaining lower computational cost. The study emphasizes reproducibility, efficiency and practical deployability, providing a robust baseline for future DDoS detection research and real-world intrusion detection systems. SN - 3070-2429 PB - Institute of Central Computation and Knowledge LA - English ER -
@article{Ahmed2026A,
author = {Nisar Ahmed and Gulshan Saleem and Asim Naveed and Muhammad Imran Zaman},
title = {A Resource-Efficient Machine Learning Pipeline for DDoS Attack Detection: A Comparative Study on CIC-IDS2018 and CIC-DDoS2019},
journal = {ICCK Transactions on Information Security and Cryptography},
year = {2026},
volume = {2},
number = {1},
pages = {55-69},
doi = {10.62762/TISC.2025.438083},
url = {https://www.icck.org/article/abs/TISC.2025.438083},
abstract = {Distributed Denial of Service attacks remain a critical threat to modern networked systems due to their scale, diversity and evolving attack strategies. Although machine learning and deep learning techniques have been widely explored for DDoS detection, many existing studies rely on inconsistent preprocessing pipelines, single-dataset evaluations and limited reproducibility. This work proposes a unified and resource efficient detection framework that addresses these challenges through systematic data handling and transparent model evaluation. The proposed pipeline integrates data cleaning, memory optimization, class balancing and hybrid feature engineering that combines linear, tree-based, statistical and information-theoretic selection methods. Classical machine learning models and a one-dimensional convolutional neural network (CNN) are evaluated on two widely used benchmark datasets, CIC-IDS2018 and CIC-DDoS2019, under a leakage-free experimental protocol. Principal Component Analysis is further examined as an optional dimensionality reduction technique. Experimental results show that Random Forest and the CNN achieve strong and consistent performance across both datasets, with hybrid feature selection improving accuracy while reducing dimensionality. The findings demonstrate that careful preprocessing and feature engineering enable classical models to perform competitively with deep learning approaches while maintaining lower computational cost. The study emphasizes reproducibility, efficiency and practical deployability, providing a robust baseline for future DDoS detection research and real-world intrusion detection systems.},
keywords = {distributed denial of service, DDoS detection, network intrusion detection, machine learning, deep learning, feature selection, class imbalance, CIC-IDS2018, CIC-DDoS2019},
issn = {3070-2429},
publisher = {Institute of Central Computation and Knowledge}
}
Publisher's Note
ICCK stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and Permissions
Portico