Mitigating DDoS attacks through ensemble learning models integrated with two-tier heuristic optimisation techniques for effective cyber defence

Hend Khalid Alkahtani; Mohammed Baihan; MohammedBurhanur Rehman; Randa Allafi; Sultan Almutairi; Ibrahim Zalah; Nouf Atiahallah Alghanmi; Mohammed Mujib Alshahrani; Hend Khalid Alkahtani; Mohammed Baihan; MohammedBurhanur Rehman; Randa Allafi; Sultan Almutairi; Ibrahim Zalah; Nouf Atiahallah Alghanmi; Mohammed Mujib Alshahrani

doi:10.3934/math.20251322

AIMS Mathematics

2025, Volume 10, Issue 12: 30068-30108. doi: 10.3934/math.20251322

Previous Article Next Article

Research article Special Issues

Mitigating DDoS attacks through ensemble learning models integrated with two-tier heuristic optimisation techniques for effective cyber defence

1.
Department of Information Systems, College of Computer and Information Sciences, Princess Nourah bint Abdulrahman University, P. O. Box 84428, Riyadh 11671, Saudi Arabia
2.
Department of Computer Science and Engineering, College of Applied Studies, King Saud University, P. O. Box 11451, Riyadh, Saudi Arabia
3.
Department of Computer Science, Applied College at Mahayil, King Khalid University, Saudi Arabia
4.
Department of Computer Science, College of Science, Northern Border University, Arar, Saudi Arabia
5.
Department of Computer Science, Applied College, Shaqra University, Shaqra 15526, Saudi Arabia
6.
Department of Information Technology, College of Computing and Informatics, Saudi Electronic University, Saudi Arabia
7.
Department of Information Technology, Faculty of Computing and Information Technology, King Abdulaziz University, Rabigh 25732, Saudi Arabia
8.
Department of Information Systems and Cybersecurity, College of Computing and Information Technology, University of Bisha, P. O. Box 551, Bisha, Saudi Arabia

Received: 20 September 2025 Revised: 24 November 2025 Accepted: 26 November 2025 Published: 23 December 2025
MSC : 37M10

The internet is the most effective means of communication in the modern world. Therefore, cyber-attacks are becoming more frequent, and their consequences are becoming increasingly severe. Distributed denial of service (DDoS) is one of the five most effective and costly cyberattacks. DDoS attacks are the most prevalent and expensive in today's evolving cybersecurity landscape. However, their ability to disrupt network services causes significant financial losses and has become an effective means of DDoS detection and prevention, both of which are essential for organisations. Network monitoring and control systems have found it challenging to recognise the numerous classes of denial of service (DoS) and DDoS attacks, as they all work exclusively. Therefore, an effective model is needed for attack detection. A previous study has established that shallow and deep learning (DL) methods are vital for identifying DDoS threats; however, there is a lack of research on time-based features and classification across numerous DDoS threat categories. This manuscript introduces an ensemble learning model integrated with two-tier heuristic optimisation techniques for effective cyber defence (ELMT2HO-ECD) methodology. The primary purpose of the ELMT2HO-ECD methodology is to provide a robust solution for detecting and mitigating DDoS attacks in real time. Initially, the ELMT2HO-ECD approach applies mean normalisation to the data to measure the feature within a specified range. Furthermore, the mountain gazelle optimiser (MGO) approach is utilised for feature extraction. For DDoS attack detection, ensemble DL models, namely convolutional long short‐term memory (ConvLSTM), Wasserstein autoencoder (WAE), and temporal convolutional networks (TCN), are employed. To further enhance the performance of the three ensemble models, hyperparameter tuning is performed using the improved pufferfish optimisation algorithm (IPOA), which optimises the models' parameters to achieve higher accuracy. The ELMT2HO-ECD model is evaluated on the CICIDS2017, CICIDS2018, and CICIDS2019 datasets. Validation of the performance of the ELMT2HO-ECD model demonstrated superior accuracy of 98.93%, 98.43%, and 99.23% compared with existing techniques.
- pufferfish optimisation algorithm,
- ensemble learning,
- DDoS,
- cyberattack,
- deep learning,
- feature selection
Citation: Hend Khalid Alkahtani, Mohammed Baihan, MohammedBurhanur Rehman, Randa Allafi, Sultan Almutairi, Ibrahim Zalah, Nouf Atiahallah Alghanmi, Mohammed Mujib Alshahrani. Mitigating DDoS attacks through ensemble learning models integrated with two-tier heuristic optimisation techniques for effective cyber defence[J]. AIMS Mathematics, 2025, 10(12): 30068-30108. doi: 10.3934/math.20251322

Related Papers:

Abstract

The internet is the most effective means of communication in the modern world. Therefore, cyber-attacks are becoming more frequent, and their consequences are becoming increasingly severe. Distributed denial of service (DDoS) is one of the five most effective and costly cyberattacks. DDoS attacks are the most prevalent and expensive in today's evolving cybersecurity landscape. However, their ability to disrupt network services causes significant financial losses and has become an effective means of DDoS detection and prevention, both of which are essential for organisations. Network monitoring and control systems have found it challenging to recognise the numerous classes of denial of service (DoS) and DDoS attacks, as they all work exclusively. Therefore, an effective model is needed for attack detection. A previous study has established that shallow and deep learning (DL) methods are vital for identifying DDoS threats; however, there is a lack of research on time-based features and classification across numerous DDoS threat categories. This manuscript introduces an ensemble learning model integrated with two-tier heuristic optimisation techniques for effective cyber defence (ELMT2HO-ECD) methodology. The primary purpose of the ELMT2HO-ECD methodology is to provide a robust solution for detecting and mitigating DDoS attacks in real time. Initially, the ELMT2HO-ECD approach applies mean normalisation to the data to measure the feature within a specified range. Furthermore, the mountain gazelle optimiser (MGO) approach is utilised for feature extraction. For DDoS attack detection, ensemble DL models, namely convolutional long short‐term memory (ConvLSTM), Wasserstein autoencoder (WAE), and temporal convolutional networks (TCN), are employed. To further enhance the performance of the three ensemble models, hyperparameter tuning is performed using the improved pufferfish optimisation algorithm (IPOA), which optimises the models' parameters to achieve higher accuracy. The ELMT2HO-ECD model is evaluated on the CICIDS2017, CICIDS2018, and CICIDS2019 datasets. Validation of the performance of the ELMT2HO-ECD model demonstrated superior accuracy of 98.93%, 98.43%, and 99.23% compared with existing techniques.

References

[1]	M. Mittal, K. Kumar, S. Behal, Deep learning approaches for detecting DDoS attacks: A systematic review, Soft Comput., 27 (2023), 13039–13075. https://doi.org/10.1007/s00500-021-06608-1 doi: 10.1007/s00500-021-06608-1
[2]	M. Shurman, R. Khrais, A, Yateem, DoS and DDoS attack detection using deep learning and IDS, Int. Arab J. Inf. Techn., 17 (2020), 655–661. https://doi.org/10.34028/iajit/17/4A/10 doi: 10.34028/iajit/17/4A/10
[3]	S. Aktar, A. Y. Nur, Towards DDoS attack detection using deep learning approach, Comput Secur., 129 (2023), 103251. https://doi.org/10.1016/j.cose.2023.103251 doi: 10.1016/j.cose.2023.103251
[4]	T. Khempetch, P. Wuttidittachotti, DDoS attack detection using deep learning, IAES International Journal of Artificial Intelligence, 10 (2021), 382–388. http://doi.org/10.11591/ijai.v10.i2.pp382-388
[5]	M. S. Elsayed, N. A. Le-Khac, S. Dev, A. D. Jurcut, Ddosnet: A deep-learning model for detecting network attacks, 2020 IEEE 21st International Symposium on A World of Wireless, Mobile and Multimedia Networks (WoWMoM), Cork, Ireland, 2020,391–396. https://doi.org/10.1109/WoWMoM49955.2020.00072
[6]	C. S. Shieh, W. W. Lin, T. T. Nguyen, C. H. Chen, M. F. Horng, D. Miu, Detection of unknown DDoS attacks with deep learning and Gaussian mixture model, Appl. Sci., 11 (2021), 5213. https://doi.org/10.3390/app11115213 doi: 10.3390/app11115213
[7]	J. G. Almaraz-Rivera, J. A. Perez-Diaz, J. A. Cantoral-Ceballos, Transport and application layer DDoS attacks detection to IoT devices by using machine learning and deep learning models, Sensors, 22 (2022), 3367. https://doi.org/10.3390/s22093367 doi: 10.3390/s22093367
[8]	M. A. Al-Shareeda, S. Manickam, M. A. Saare, DDoS attacks detection using machine learning and deep learning techniques: analysis and comparison, Bulletin of Electrical Engineering and Informatics, 12 (2023), 930–939. https://doi.org/10.11591/eei.v12i2.4466 doi: 10.11591/eei.v12i2.4466
[9]	A. R. Shaaban, E. Abd-Elwanis, M. Hussein, DDoS attack detection and classification via convolutional neural network (CNN), 2019 Ninth International Conference on Intelligent Computing and Information Systems (ICICIS), Cairo, Egypt, 2019,233–238. https://doi.org/10.1109/ICICIS46948.2019.9014826
[10]	N. A. M. Alhammadi, M. Mabrouk, M. Zrigui, Recent trends on sophisticated types of flooding attacks and detection methods based on multi sensors fusion data for cloud computing systems, Fusion: Practice & Applications, 11 (2023), 37–56. https://doi.org/10.54216/FPA.110103 doi: 10.54216/FPA.110103
[11]	M. Abdullah, H. A. Mengash, M. Maray, F. A. F. Alrslani, H. Alkhudhayr, N. A. Alghanmi, et al., Federated learning with blockchain on denial-of-service attacks detection and classification of edge ⅡoT networks using deep transfer learning model, Computers and Electrical Engineering, 124 (2025), 110319. https://doi.org/10.1016/j.compeleceng.2025.110319 doi: 10.1016/j.compeleceng.2025.110319
[12]	M. Dandotiya, R. R. S. Makwana, Secured DDoS attack detection in SDN using TS‐RBDM with MDPP‐Streebog based user authentication, T. Emerg. Telecommun. T., 36 (2025), e70052. https://doi.org/10.1002/ett.700 doi: 10.1002/ett.700
[13]	S. Mehmood, R. Amin, J. Mustafa, M. Hussain, F. S. Alsubaei, M. D. Zakaria, Distributed denial of services (DDoS) attack detection in SDN using optimizer-equipped CNN-MLP, PloS One, 20 (2025), e0312425. https://doi.org/10.1371/journal.pone.0312425 doi: 10.1371/journal.pone.0312425
[14]	Y. A. Abid, J. S. Wu, G. Q. Xu, S. H. Fu, M. Waqas, Multilevel deep neural network for distributed denial-of-service attack detection and classification in software-defined networking supported Internet of things networks, IEEE Internet Things, 11 (2024), 24715–24725. https://doi.org/10.1109/JIOT.2024.3376578 doi: 10.1109/JIOT.2024.3376578
[15]	S. Kanthimathi, S. Venkatraman, K. S. Jayasankar, T. P. Jiljith, R. Jashwanth, A Novel self-attention-enabled weighted ensemble-based convolutional neural network framework for distributed denial of service attack classification, IEEE Access, 12 (2024), 151515–151531. https://doi.org/10.1109/ACCESS.2024.3478764 doi: 10.1109/ACCESS.2024.3478764
[16]	K. K. Paidipati, C. Kurangi, J. Uthayakumar, S. Padmanayaki, D. Pradeepa, S. Nithinsha, Ensemble of deep reinforcement learning with optimisation model for DDoS attack detection and classification in cloud based software defined networks, Multimed. Tools Appl., 83 (2024), 32367–32385. https://doi.org/10.1007/s11042-023-16894-6 doi: 10.1007/s11042-023-16894-6
[17]	M. Fatima, O. Rehman, S. Ali, M. F. Niazi, ELIDS: Ensemble feature selection for lightweight IDS against DDoS attacks in resource-constrained IoT environment, Future Gener. Comp. Sy., 159 (2024), 172–187. https://doi.org/10.1016/j.future.2024.05.013 doi: 10.1016/j.future.2024.05.013
[18]	M. I. T. Hussan, G. V. Reddy, P. T. Anitha, A. Kanagaraj, P. Naresh, DDoS attack detection in IoT environment using optimised Elman recurrent neural networks based on chaotic bacterial colony optimisation, Cluster Comput., 27 (2024), 4469–4490. https://doi.org/10.1007/s10586-023-04187-4 doi: 10.1007/s10586-023-04187-4
[19]	D. M. Dhanvijay, M. M. Dhanvijay, V. H. Kamble, Cyber intrusion detection using ensemble of deep learning with prediction scoring based optimised feature sets for IOT networks, Cyber Security and Applications, 3 (2025), 100088. https://doi.org/10.1016/j.csa.2025.100088 doi: 10.1016/j.csa.2025.100088
[20]	Z. Y. Li, M. Y. Liu, P. Wang, W. Y. Su, T. S. Chang, X. J. Chen, et al., Multi-ARCL: Multimodal adaptive relay-based distributed continual learning for encrypted traffic classification, J. Parallel Distr. Com., 201 (2025), 105083. https://doi.org/10.1016/j.jpdc.2025.105083 doi: 10.1016/j.jpdc.2025.105083
[21]	K. J. Pradeep, P. K. Shukla, Designing a novel network anomaly detection framework using multi-serial stacked network with optimal feature selection procedures over DDOS attacks, International Journal of Intelligent Networks, 6 (2025), 1–13. https://doi.org/10.1016/j.ijin.2024.11.001 doi: 10.1016/j.ijin.2024.11.001
[22]	Y. K. Beshah, S. L. Abebe, H. M. Melaku, Multi-stage adversarial defense for online DDoS attack detection system in IoT, IEEE Access, 13 (2025), 72657–72673. https://doi.org/10.1109/ACCESS.2025.3560186 doi: 10.1109/ACCESS.2025.3560186
[23]	P. Odelu, C. K. Shiva, S. Sen, V. Basetti, C. S. Reddy, Forward-thinking frequency management in islanded marine microgrid utilising a heterogeneous source of generation and nonlinear control assisted by energy storage integration, Sci. Rep., 15 (2025), 13794. https://doi.org/10.1038/s41598-025-97592-1 doi: 10.1038/s41598-025-97592-1
[24]	T. L. Xu, Z. Q. Zhou, C. X. Wang, Y. C. Li, T. Rong, Spatio-temporal prediction of surface remote sensing data in equatorial pacific ocean based on multi-element fusion network, J. Mar. Sci. Eng., 13 (2025), 755. https://doi.org/10.3390/jmse13040755 doi: 10.3390/jmse13040755
[25]	A. X. Wang, B. P. Nguyen, Deterministic autoencoder using Wasserstein loss for tabular data generation, Neural Networks, 185 (2025), 107208. https://doi.org/10.1016/j.neunet.2025.107208 doi: 10.1016/j.neunet.2025.107208
[26]	E. Akhmetshin, D. Hudayberganov, R. Shichiyakh, S. Yellisetti, L. K. Pappala, et al., Intelligent federated learning boosted cyberattack detection system for Denial-Of-Wallet attacks using an advanced heuristic search with multimodal approaches, Sci. Rep., 15 (2025), 14265. https://doi.org/10.1038/s41598-025-96986-5 doi: 10.1038/s41598-025-96986-5
[27]	J. Li, C. Bastani, Optimising PEMFC parameter identification using improved pufferfish algorithm and CNN, AIP Adv., 15 (2025), 025117. https://doi.org/10.1063/5.0251549 doi: 10.1063/5.0251549
[28]	H. Shen, C. J. Peng, H. C. Yan, S. Y. Xu, Data-driven near optimisation for fast sampling singularly perturbed systems, IEEE T. Automat. Contr., 69 (2024), 4689–4694. https://doi.org/10.1109/TAC.2024.3352703 doi: 10.1109/TAC.2024.3352703
[29]	H. Shen, Y. Wang, H. C. Yan, S. Y. Xu, Data-driven single-loop policy iteration control of uncertain singularly perturbed systems, IEEE T. Automat. Contr., 70 (2025), 8314–8320. https://doi.org/10.1109/TAC.2025.3581141 doi: 10.1109/TAC.2025.3581141
[30]	Network Intrusion Dataset (CIC-IDS-2017), 2023. Available from: https://www.kaggle.com/datasets/chethuhn/network-intrusion-dataset.
[31]	IDS 2018 Intrusion CSVs (CSE-CIC-IDS2018), 2020. Available from: https://www.kaggle.com/datasets/solarmainframe/ids-intrusion-csv.
[32]	M. A. Talukder, M. A. Uddin, CIC-DDoS2019 Dataset, Mendeley Data, 2023. Available from: https://data.mendeley.com/datasets/ssnc74xm6r/1.
[33]	D. Javeed, M. S. Saeed, I. Ahmad, P. Kumar, A. Jolfaei, M. Tahir, An intelligent intrusion detection system for smart consumer electronics network, IEEE T. Consum. Electr., 69 (2023), 906–913. https://doi.org/10.1109/TCE.2023.3277856 doi: 10.1109/TCE.2023.3277856
[34]	S. Manimurugan, S. Al-Mutairi, M. M. Aborokbah, N. Chilamkurti, S. Ganesan, R. Patan, Effective attack detection in internet of medical things smart environment using a deep belief neural network, IEEE Access, 8 (2020), 77396–77404. https://doi.org/10.1109/ACCESS.2020.2986013 doi: 10.1109/ACCESS.2020.2986013
[35]	S. Songma, T. Sathuphan, T. Pamutha, Optimising intrusion detection systems in three phases on the CSE-CIC-IDS-2018 dataset, Computers, 12 (2023), 245. https://doi.org/10.3390/computers12120245 doi: 10.3390/computers12120245
[36]	E. Osa, P. E. Orukpe, U. Iruansi, Design and implementation of a deep neural network approach for intrusion detection systems, e-Prime-Advances in Electrical Engineering, Electronics and Energy, 7 (2024), 100434. https://doi.org/10.1016/j.prime.2024.100434 doi: 10.1016/j.prime.2024.100434
[37]	S. S. N. Chintapalli, S. P. Singh, J. Frnda, P. B. Divakarachari, V. L. Sarraju, P. Falkowski-Gilski, OOA-modified Bi-LSTM network: An effective intrusion detection framework for IoT systems, Heliyon, 10 (2024), e29410. https://doi.org/10.1016/j.heliyon.2024.e29410 doi: 10.1016/j.heliyon.2024.e29410
[38]	O. D. Okey, D. C. Melgarejo, M. Saadi, R. L. Rosa, J. H. Kleinschmidt, D. Z. Rodríguez, Transfer learning approach to IDS on cloud IoT devices using optimised CNN, IEEE Access, 11 (2023), 1023–1038. https://doi.org/10.1109/ACCESS.2022.3233775 doi: 10.1109/ACCESS.2022.3233775
[39]	M. Ramzan, M. Shoaib, A. Altaf, S. Arshad, F. Iqbal, A. K. Castilla, et. al., Distributed denial of service attack detection in network traffic using deep learning algorithm, Sensors, 23 (2023), 8642. https://doi.org/10.3390/s23208642 doi: 10.3390/s23208642
[40]	F. L. Becerra-Suarez, I. Fernández-Roman, M. G. Forero, Improvement of distributed denial of service attack detection through machine learning and data processing, Mathematics, 12 (2024), 1294. https://doi.org/10.3390/math12091294 doi: 10.3390/math12091294
[41]	M. Ouhssini, K. Afdel, M. Akouhar, E. Agherrabi, A. Abarda, Advancements in detecting, preventing, and mitigating DDoS attacks in cloud environments: A comprehensive systematic review of state-of-the-art approaches, Egypt. Inform. J., 27 (2024), 100517. https://doi.org/10.1016/j.eij.2024.100517 doi: 10.1016/j.eij.2024.100517

Reader Comments

Your name:*

Email:*
© 2025 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0)