A novel framework of DDoS attack detection in network using hybrid heuristic deep learning approaches with attention mechanism

Abstract

The “Distributed Denial of Service (DDoS)” threats have become a tool for the hackers, cyber swindlers, and cyber terrorists. Despite the high amount of conventional mitigation mechanisms that are present nowadays, the DDoS threats continue to enhance in severity, volume, and frequency. The DDoS attack has highly affected the availability of the networks for the previous years and still, there is no efficient defense technique against it. Moreover, the new and complex DDoS attacks are increasing on a daily basis but the traditional DDoS attack detection techniques cannot react to these threats. On the other hand, the hackers are employing very innovative strategies to initiate the threats. But, the traditional methods can become effective and reliable when combined with the deep learning-aided approaches. To solve these certain issues, a framework detection mechanism for DDoS attacks utilizes an attention-aided deep learning methodology. The primary thing is the acquisition of data from standard data online sources. Further, from the garnered data, the significant features are drawn out from the “Deep Weighted Restricted Boltzmann Machine (RBM)” using a “Deep Belief Network (DBN)”, in which the parameters are tuned by employing the recommended Enhanced Gannet Optimization Algorithm (EGOA). This feature extraction operation increases the network performance rate and also diminishes the dimensionality issues. Lastly, the acquired features are transferred to the model of “Attention and Cascaded Recurrent Neural Network (RNN) with Residual Long Short Term Memory (LSTM) (ACRNN-RLSTM)” blocks for the DDoS threat detection purpose. This designed network precisely identifies the complex and new attacks, thus it increases the trustworthiness of the network. In the end, the performance of the approach is contrasted with other traditional algorithms. Hence, the simulation outcomes are obtained that prove the system’s efficiency. Also, the outcomes displayed that the designed system overcame the conventional threat detection techniques.

Keywords

DDoS Attack Detection deep learning features extraction restricted Boltzmann machine hyper-parameters optimization enhanced gannet optimization algorithm attention and cascaded recurrent neural network with residual long short term memory

1. Introduction

In the recent days, the network’s openness has been one of the modern enhancing sectors. It is straightforward, rapid, and dynamic. It is referred to as an enhancing mechanism due to the productivity and the cheap cost [35]. The network includes various nodes, these are installed in the territory to garner the data and the garnered data may be transferred to the sink for the next execution. The sink integrates and validates the information after collecting it from the block [15]. Via the network, the sink node is linked to the external world. In the technology of the “Internet of Things (IoT)” that includes the nodes for gathering the information, the same gathered information can be transferred to the other node to meet the sink [11]. These topologies are utilized to do the transmission between the receiver and sender. The attack is called an active attack which normally changes the information and then it is sent among the receiver and the sender [17]. Several active attacks are Sinkhole, Sybil, Worm node, Replay attack, Masquerade attack, Node replication, DDoS attack, and so on [28]. Among the distinct active attacks, one of the severe attacks is a DDoS attack that affects the functionality highly because it floods the end node with a high quantity of data packets hence the node can’t enable the authentic requests [5]. The DDoS attacks are created by the computer components affected with the malware focusing to stop the online activities from offering services to victims normally causing or blocking the server to prevent the activity temporarily, the DDoS is employed from a high amount of occupied systems via Botnet distribution. The attack of DDoS contains various zombies hence it can develop heavy network traffic. Because of the zombie, the IP address is spoofed and it puts the IP address in the hands of the attacker [22]. Various DDoS attacks are conducted by the humanly instructed devices that include some systems with internet access.

Furthermore, the attacks of DDoS are often varying their strategies to win over the security devices made by the specialists and the network assistants who are providing simultaneous changes to their techniques in observing the advanced attacks [38]. The problem created by the “DDoS attack” can result in the device or network turning off, rapid sensor node drainage, and the service denial [21]. Due to these problems, the DDoS is referred to as one of the most complex attacks in the present day. Once the topology is located to be taken as a “Software Defined Network (SDN)” then the flow requests are sent to the end network that is transmitted by the information route to the controller [16]. However, emerging the flow amounts in the information route can create switches trouble from the system requests of flow on the handler and thus really cause it to be damaged. However, the identification approach of DDoS is needed because the secondary handler can be sensitive to the DDoS or the “DDoS attacks” [2]. Most of the presented conventional approaches concentrate on identifying the DDoS attacks with minimum false alerts yet often these mechanisms are not achieved to attain a better identification rate [36]. It is necessary to have an understanding of the characteristics of the DDoS attacks, but it is highly complex to find the effective characteristics to focus on the attack. However, several traditional mechanisms are often troubled by the large “False Positive Rate (FPR)” due to the improper extraction of the features [30]. In addition, the classical mechanisms have poor actuator performance, and the installation of the high-speed network in the present academic, commercial, and the data centers exposes the complexities of the network security and monitoring.

Deep learning and machine learning have developed as potential factors in divergent sectors most importantly in the network security. Machine learning approaches like random forests, “Support Vector Machine (SVM)”, and decision trees are adopted to categorize the traffic of the network into attack or normal classifications [27]. These approaches are learned on the data assets that include general traffic patterns and multiple attack scenes. Deep learning approaches can draw out the abstract and intricate features from the information of the network traffic, allowing more sophisticated and accurate identification of the DDoS attacks [32]. The approaches are learned in high-scale data resources to understand the critical representations of the attack and the normal patterns of the traffic attack. Their capacity to understand the high-scale information and find out the critical patterns creates then successive mechanisms for the identification of the “DDoS attack” [19]. The “Restricted Boltzmann Machine (RBM)” approach can win over the small number of input attributes and design the fundamental data resource distribution with the absence of related classes. The “deep Convolutional Neural Network (CNN)” is learned in the supervised model formulated by the related classes. CNN [34] is doing the categorization work and also understanding the common invariance filters which identify the common attributes from the provided signals. However, the machine learning and deep learning methodologies include the unwanted features that result in the system being very less efficient in identifying the threats. Moreover, these techniques rely on the packet feature engineering strategy that is significant. Also, various deep learning-assisted techniques lack the real-world deployments. Most importantly, the present methods are not implemented for the online threat identification within the factors of the present network, where the identification strategies should execute the traffic flows. Hence, it urges to implement a better mechanism for the recognition of “DDoS attacks” in the network.

The primary goals of the implemented “DDoS attack” identification framework are listed below.

To implement an advanced DDoS attack identification framework by adopting an improved algorithm and the deep learning strategies that efficiently identifies the network attacks and prevents the data loss.

To extract the necessary features from the garnered data by employing deep-weighted RBM using DBN that enhances the functionality of the network. Here, the network weights are optimized by the designed EGOA.

To design the implemented EGOA by adopting the conventional GOA that optimally selects the outcomes and assists in performing the weights optimization in the feature extraction stage.

To develop the ACRNN-RLSTM technique by influencing the concept of attention and cascaded RNN with residual LSTM that supports to identify the network attacks precisely.

To investigate the suggested DDoS attack detection mechanism by employing various conventional optimization algorithms and classifiers with certain performance metrics that highlight the supremacy of the designed model.

The recommended DDoS attack identification approach includes the upcoming parts. Part II illustrates the traditional mechanisms of the “DDoS attack” identification. Part III elucidates the implementation of a “DDoS attack” identification model with the support of an attention-based cascaded deep learning technique. Part IV offers the DBN and weighted feature attainment utilizing EGOA for attack detection. Part V explains the identification of the “DDoS attack” in a network utilizing attention and cascaded RNN with residual LSTM. Part VI portrays the outcomes and the discussions. Lastly, Part VI concludes the designed “DDoS attack” detection approach.

2. Existing works

2.1. Related works

In 2023, Cherian and Varma [8] have recommended a modern mechanism for safeguarding the IoT network utilizing an SDN-aware architecture that comprised a deep learning approaches and the dynamic counter-aided mechanism. The goal was to mitigate and identify the multiple security threats that attackers utilize to create the attacks of DDoS in the IoT networks. Especially, the suggested approach was validated utilizing the “CICDDoS2019” data resource to detect the exploitation and the reflection attacks. The architecture was evaluated by changing the attributes to calculate the functionality of the attack identification period, CPU utilization, and the workload of the SDN controller. The numerical outcomes have illustrated that the suggested architecture could effectively mitigate and identify the DDoS attacks while employing the CPU assets efficiently in less amount of time contrasted to the conventional mechanisms.

In 2022, Pajila et al. [4] have focussed on recognizing the “DDoS attacks” rapidly and to recover the sensor node information utilizing the mechanism of “fuzzy logic”. The “Fuzzy based DDoS attack Detection and Recovery (FBDR)” approach utilized the “type 1 fuzzy logic” to identify the “DDoS attack” occurrences in the node. Also, the “fuzzy type 2” was utilized for the information regeneration from the threat of DDoS. Both these rules supported mitigating the power utility of every node and improved the life period of the framework. The designed FBDR mechanism was contrasted with the other similar mechanisms and the solutions have specified that the FBDR mechanism performed higher than the other related mechanisms.

In 2020, Dong and Sarem [12] have deployed two mechanisms to recognize the “DDoS attack” in the network of SDN. One task utilized the “DDoS attack’s” degree to detect the attack of DDoS. The other approach utilized the enhanced “K-Nearest Neighbors (KNN)” approach according to the machine learning to find out the “DDoS attack”. The outcomes of the experimental outcomes and the theoretical estimation of the data resources showed that the expert’s designed approach could identify the DDoS attack effectively and contrasted with other mechanisms.

In 2021, Elsaeidy et al. [14] have explored a hybrid deep learning mechanism for identifying the DDoS and the replay threats in the present-life smart city sector. The functionality of the implemented hybrid mechanism was estimated by employing the present-time smart city data assets where the replay threats and the “DDoS attacks” were estimated. The suggested approach portrayed high correctness rates for the data assets. The outcomes have reported an enhanced functionality of the recommended approach against other deep learning and machine learning approaches.

In 2022, Cao et al. [6] have presented an identification method according to the “Spatial-Temporal Graph Convolutional Network (ST-GCN)” over the information “plane programmable SDN”. It detected the switch states via “In-band Network Telemetry (INT)” accompanied with sampling, provided the system stage into the “spatial-temporal convolutional network” identification approach, and at last identified that switched via which the attack of DDos flow passed. According to this experts developed the defense approach that efficiently reduced the system traffic and the “DDoS attacks”. Contrasted to the traditional approaches, the expert’s approach enhanced the identification correctness.

In 2021, Makuvaza et al. [20] have defined the cyber attacks like DDoS attacks presented in the network. The attackers have been utilizing the single-vector attacks nowadays. The demand for the real-time identification of the “DDoS attack” is very significant. The attackers adopt the powerful mechanisms to deploy the “DDoS attacks” in the system. Hence it has suggested a “Deep Neural Network (DNN)” answer for the real-time identification of the “DDoS attack” in the network. The recommended approach generated better accuracy rates utilizing less time and minimal resources.

In 2022, Agarwal et al. [1] have presented a framework named “feature selection-whale optimization algorithm-deep neural network (FS-WOA–DNN)” approach to minimize the “DDoS attack” in a good way. In the beginning, the pre-processing phase was performed and the suggested FS-WOA approach was utilized to choose the better feature set to help the categorization approach. The chosen attributes were forwarded to the DNN to classify the normal and the attacked information. The recommended approach was executed in the MATLAB component and validated experimentally which displayed the better accuracy rates in identifying the DDoS attack.

In 2022, Raghava and Lakshmi [24] have improved the DDoS identification approach via the deep learning mechanism by the combination of the LSTM and the CNN, named “CNN-O-LSTM”. With the support of optimal features which were selected by the “Closest Position-based Grey Wolf Optimization (CP-GWO)” was given to the CNN for the learning operation. These attributes were utilized for the identification process. The optimally chosen features improved the functionality of the network. Lastly, the optimized LSTM was utilized in the identification stage that focussed on enhancing the identification accuracy. The recommended DDoS identification mechanism was validated on the standard data sources and the solutions were contrasted against the classical tasks.

In 2023, D’Angelo et al. [10] have explored the dynamic non-linear model’s theory for efficiently learning the dynamics of internet traffic. To achieve this, the model employed the features of convolutional autoencoders to attain the significant attributes from the developed plots. The obtained outcomes, attained from the original data source, illustrated the efficacy of the designed model by outperforming the conventional models.

In 2023, D’Angelo et al. [9] have introduced a successive outcome to rectify the federated learning-based issues. The Markov chains feature and the related rules were adopted in the federated sector to meet the operations of malware categorization in the IoT sector. The designed work was estimated on various malware environments and attained better accuracy. The model provided better outcomes than the baseline techniques.

2.2. Research gaps and challenges

DDoS attacks have caused the disastrous problems in the different network structures. Due to this nature, the data packets are more vulnerable to eavesdropping and also it produces the data integrity and stability issues. Deep learning [8] yields the extensive results in making the system less vulnerable to DDoS attacks. However, it does not have the potential to use the high-dimensionality feature sets. FBDR [4] improves the network lifetime and lessens the energy consumption and it offers a higher detection rate. On the other hand, the neuro-fuzzy model is suggested for maximizing the network performance. KNN [12] detects the different levels of DDoS attack that evades the degradation. It enhances the higher detection rate. Yet, it is not able to apply the detection method other than SDN topology. Hybrid deep learning [14] resolves the less feature determination problem that helps to drive the superior performance and it also considers the real-time datasets. Owing to the implementation of two networks, the computation burden is increased. It also causes the structural complexity. ST-GCN [6] uses the features of graphical nodes that motivate to perform the detecting process and it can mitigate the network traffic. However, it becomes less effective while handling the massive collection of data. DNN [20] attains desired outcomes concerning detection correctness, f1-score, recall, and precision. Still, it includes more number of layers that requires more training time and data samples. FS-WOA-DNN [1] provides the optimum results or tuned parameters that assist in enhancing the efficiency. It further fails to detect other kinds of network attacks. CNN-O-LSTM [24] prevents the gradient vanishing problem while identifying the “DDoS attack” in the system. However, it contains the feature dimension problem that deteriorates the network integrity. These issues help to drive the development of effective detection methodology.

2.3. Motivation

The “DDoS attacks” have been a current problem for the cyber, digital infrastructure, and networks. These threats can create the high interruptions in any “Information Communication Technology (ICT)”. There may be various causes for deploying the DDoS threats. These consist of disruption, financial merits, and the political gains. The DDoS threats can damage the services and networks by overwhelming the network devices, network links, and the servers with illegal traffic. These can either create the service degradation or the overall service denial that leads the high losses. Enhancing dependence on the data centers and the internet created this issue. Multiple open-source and proprietary strategies have existed for the mitigation and detection of the DDoS attacks. However, these threats become enhanced. Quick identification and reduction of the DDoS threats have become challenging because the attackers continue to utilize the effective mechanisms to deploy the DDoS threats. The enhancing amount of DDoS threats, integrated with the enhancing variety in their kinds, creating high impact has created the DDoS threat identification, reduction, and prevention as the high priority.

3. Development of DDoS attack detection model: Attention-based cascaded deep learning technique

3.1. Architecture view of suggested detection method

The diagrammatic illustration of the suggested “DDoS attack” identification framework is provided in Fig. 1.

Fig. 1.

The diagrammatic representation of the recommended DDoS attack identification approach.

The methodology for the “DDoS attack” identification is implemented by utilizing the attention-assisted deep learning mechanism to win over the difficulties in the classical mechanisms. The initial thing is the data acquisition from the benchmark online resources. Furthermore, the features are extracted from the aid of RBM utilizing the DBN in that the parameters are optimized by employing the developed EGOA task. In the end, the attained features are subjected to the method of ACRNN-RLSTM. Finally, the method’s performance is validated by the numerous measures and contrasted with existing methodologies. Hence, the simulation solutions are accomplished that assure the system efficacy of estimating and avoiding the DDoS threats.

3.2. Parameter tuning by EGOA

The recommended EGOA modified the conventional GOA for the effective performance in the implemented task. The traditional GOA solves the large-scale constrained issues and the difficult issues in the engineering designs. However, the conventional GOA utilizes the random integer for the position updating. This may enhance the error rates. So the developed EGOA, the random variable r is estimated by Eq. (1) and utilized for the position updating. $\begin{matrix} (1) & r = \frac{bf}{(\frac{(bf / wf)}{(wf / bf)})} \end{matrix}$

Here, the term $bf$ refers to the best fitness of the GOA and the factor $wf$ refers to the worst fitness of the GOA. The traditional GOA’s functionalities are explained as follows.

The traditional GOA [23] has been inspired by the gannet’s predation characteristics. The GOA consists of exploitation and the exploration phases where the exploitation phase includes four unique predation characters such as U and “V-shaped dive” phases, immediate rotation, and the arbitrary wandering. The GOA’s mathematical model is presented here.

Initialization stage: The traditional GOA initializes with the arbitrary solutions given in Eq. (1) at that stage the optimal answer is considered as the better global answer. $\begin{matrix} (2) & B = [\begin{array}{cccccc} b_{1, 1} & \dots & b_{1, k} & \dots & b_{1, d - 1} & b_{1, d} \\ b_{2, 1} & \dots & b_{2, k} & \dots & b_{2, d - 1} & b_{2, d} \\ ⋮ & ⋮ & ⋮ & ⋮ & ⋮ & ⋮ \\ \dots & \dots & b_{j, k} & \dots & \dots & \dots \\ ⋮ & ⋮ & ⋮ & ⋮ & ⋮ & ⋮ \\ b_{M - 1, 1} & \dots & b_{M - 1, k} & \dots & b_{M - 1, d - 1} & b_{M - 1, d} \\ b_{M, 1} & \dots & b_{M, k} & \dots & b_{M, d - 1} & b_{M, d} \end{array}] \end{matrix}$

Here, the attribute $b_{j}$ refers to the individual’s position, and every $b_{j, k}$ variable in the matrix B can be estimated in Eq. (3). $\begin{matrix} (3) & b_{j, k} = x_{1} \times ({ub}_{k} - {lb}_{k}) + lb, j = 1, 2, \dots, M, k = 1, 2, \dots, d \end{matrix}$

The dimension’s lower area is pointed as ${lb}_{k}$ and the dimension’s upper region is termed as ${ub}_{k}$ . The overall individuals in the population are pointed as M and the term d refers to the issue’s dimensional size. The arbitrary integer among 0 and 1 is denoted as $x_{1}$ .

In the traditional GOA, experts utilized the term “memory matrix” which is indicated as $m x$ . The initialization stage allocates the matrix B values of to $m x$ . For all the iterations, the position updating of the individuals is stored in the “memory matrix” $m x$ . After estimating the fitness measure, if the variable $m x_{j}$ of the gannets performs better than the present answer $B_{j}$ then the term $m x_{j}$ is utilized or else the solution $B_{j}$ is utilized.

Exploration stage: The gannets hunt for food in the water and if they find the food then they will change their dive strategy according to the prey dive’s depth. There are two categories of dives such as “V-shaped and U shaped”. The U-shaped dive is very deep and long at the same time the V-shaped dive is narrow and short. Equation (5) and Eq. (6) formulate the u and V shape dives accordingly. $\begin{array}{c} (4) & u = 1 - \frac{I}{I_{max}} \\ (5) & h = 2 * cos (2 * π * x_{2}) * u \\ (6) & k = 2 * V (2 * π * x_{3}) * u \\ (7) & V (b) = \{\begin{array}{ll} - \frac{1}{π} * b + 1, & b \in (0, π) \\ \frac{1}{π} * b - 1, & b \in (π, 2 π) \end{array} \end{array}$

In Eq. (4) the variable I is the present iteration and the variable $I_{max}$ specifies the maximum iterations. The terms $x_{2}$ and $x_{3}$ are the arbitrary variables between 0 and 1.

The next operation is to employ the two dive mechanisms for the place upgrading. According to the arbitrary integer, r the dive mechanism is chosen in the conventional GOA task. In order to minimize the error rates the developed EGOA scheme estimates the variable r which is derived in Eq. (1). Equation (8) derives the position updating. $\begin{array}{c} (8) & m x_{j} (u + 1) = \{\begin{array}{ll} B_{j} (u) + f 1 + f 2, & r ⩾ 0.5 \\ B_{j} (u) + g 1 + g 2, & r < 0.5 \end{array} \\ (9) & f 2 = H * (B_{j} (u) - B_{x} (u)) \\ (10) & g 2 = K * (B_{j} (u) - B_{n} (u)) \\ (11) & H = (2 * x_{4} - 1) * h \\ (12) & K = (2 * x_{5} - 1) * k \end{array}$

The variables $x_{4}$ and $x_{5}$ are the arbitrary integers among 0 and 1. Then the factor $f 1$ represents the arbitrary variable among $- h$ and h. Then the factor $g 1$ represents the arbitrary variable among $- k$ and k. Further, the term $B_{j} (u)$ refers to the present population of the jth individual and the factor $B_{x} (u)$ specifies the arbitrarily chosen gannet in the present population and the factor $B_{n} (u)$ specifies the mean position of gannet in the present population. The variable $B_{n} (u)$ was estimated utilizing Eq. (13). $\begin{matrix} (13) & B_{n} (u) = \frac{1}{M} \sum_{j = 1}^{M} B_{j} (u) \end{matrix}$

Exploitation stage: This stage includes two strategies. The gannet utilizes its energy to catch the prey. At the same time, the prey also takes several actions to escape from the gannet. When the gannet has enough energy, it catches the prey. It is derived in Eq. (14). $\begin{array}{c} (14) & capturability = \frac{1}{X * u 2} \\ (15) & u 2 = 1 + \frac{I}{I_{max}} \\ (16) & X = \frac{W * {vel}^{2}}{L} \\ (17) & L = 0.2 + (2 - 0.2) * x_{6} \end{array}$

Here the attribute $x_{6}$ denotes the arbitrary integer among 0 and q. Further, the weight and the velocity of the gannet are specified as W and $vel$ correspondingly. In the traditional GOA, the weight and the velocity of the gannet are assigned as 2.5 Kg and 1.5 m/s accordingly.

According to the catching capacity of the gannet, the position updating is performed and it is derived by Eq. (18). $\begin{array}{c} (18) & m x_{j} (u + 1) = \{\begin{array}{ll} u * d e l t a * (B_{bst} (u) + B_{j} (u)), & capturability ⩾ y \\ B_{bst} (u) - (B_{j} (u) - B_{bst} (u)) * Q * u, & capturability < y \end{array} \\ (19) & delta = capturability * | B_{j} (u) - B_{bst} (u) | \\ (20) & Q = Levy (d) \end{array}$

Here the factor y is a constant with a value of 0.2. The current position’s best-performing gannet is indicated as $B_{bst} (u)$ and the variable $Levy$ refers to the “Levy flight function” which is validated by Eq. (21). $\begin{array}{c} (21) & Levy (d) = 0.01 \times \frac{η \times δ}{| v |^{\frac{1}{α}}} \\ (22) & δ = (\frac{Γ (1 + α) \times sin (\frac{π α}{2})}{Γ (\frac{1 + α}{2}) \times α \times 2^{(\frac{α - 1}{2})}}) \end{array}$

The arbitrary values are termed as η and δ among 0 and 1 and the variable α is an already defined constant. The “pseudo-code” of the suggested EGOA is offered in “Algorithm-1”. Figure 3 offers the flowchart of the designed EGOA approach.

Algorithm 1

Recommended EGOA

Fig. 2.

The flow chart of the recommended EGOA.

4. Deep belief network and weighted feature attainment using EGOA for attack detection

4.1. DBN-based feature extraction

The DBN [33] approach effectively discovers the structural data. The DBN is suggested to resolve the learning complexities for the deep structures by presenting a two-stage architecture such as fine-tuning and pre-training. Because of the better learning ability the DBN approach has been promisingly processed for multiple information evaluations such as speech recognition, computer vision, emotion recognition, and the language processing. With the help of this network, the feature extraction process is conducted for the recommended “DDoS attack” identification approach. The DBN is defined as a stack of RBMs in that the result of the lower-stage RBM may be performed as the input for the RBM’s higher stage. Hence, every RBM may be learned privately. The RBM is a two-stage NN in that the hidden and visible sectors are linked with the symmetric weights. Based on the weights in the RBM, the features are extracted in the suggested feature extraction process. Here, the real data $G_{m}$ is provided as an input. Normally the RBM units are normally binary $q \in {0, 1}^{r}$ and $y \in {0, 1}^{i}$ here the variables i and r specify the amount of hidden and visible units correspondingly. The RBM allocates a joint likelihood to the hidden unit’s every pair and the visible units. This is given in Eq. (23). $\begin{matrix} (23) & P (q, y) = \frac{1}{A} exp (- F (q, y)) \end{matrix}$

Here, the normalization constant is denoted as $A = \sum_{q, y} e^{- F (q, y)}$ , and the energy function $F (q, y)$ of the variable $(q, y)$ is derived in Eq. (24). $\begin{matrix} (24) & F (q, y) = - \sum_{j = 1}^{K} b_{j} q_{j} - \sum_{k = 1}^{L} c_{k} y_{k} - \sum_{j = 1}^{K} \sum_{k = 1}^{l} W_{j, k} q_{j} y_{k} \end{matrix}$

Here, the j visible unit’s binary state is denoted as $q_{j}$ , and the k hidden unit is indicated as $y_{k}$ . The related biases and the weights are termed as $W_{j, k}$ and $c_{k}$ correspondingly.

The visible units in the “Gaussian RBM” are not binary yet have an energy function, variance noise, and a zero mean. This is estimated in Eq. (25). $\begin{matrix} (25) & F (q, y) = \sum_{j = 1}^{K} \frac{{(q_{j} - b_{j})}^{2}}{2} - \sum_{j = 1}^{K} \sum_{k = 1}^{L} W_{j, k} q_{j} y_{k} - \sum_{k = 1}^{L} c_{k} y_{k} \end{matrix}$

The “Gaussian RBM” can be performed for the information where the visible units are simultaneous measures.

The initial stage of the DBM system is to pre-learn the RBM “layer by layer”. Naturally, the process of pre-learning focuses on creating the starting weight of the DBN to prevent the general optimum that mostly happens in the deep frameworks. The likelihood of the sum of every hidden unit to the visible vector is calculated in Eq. (26). $\begin{matrix} (26) & P (q) = \sum_{y} p (q, y) = \frac{1}{A} \sum_{y} exp (- F (q, y)) \end{matrix}$

The learning operation of the RBM may be considered as enhancing the “log-likelihood” $P (q)$ that can be accomplished via the algorithm of gradient learning. From this DBN-aided feature extraction approach, the features are precisely extracted and represented as $G_{m}^{F}$ . The flow diagram of the offered EGOA algorithm is shown in Fig. 2.

4.2. Deep weighted RBM features

Fig. 3.

The DBN-aided feature extraction process for the recommended DDoS attach detection mechanism.

From the DBN technique, the features are drawn out $G_{m}^{F}$ from the original data with the help of weights in the RBN. The DBN-aided feature extraction is widely utilized for the detection approaches. This highly maximizes the detection rates. However, the weights in the RBM may create the computational issues because of its large amounts. So the weights are optimally tuned in the suggested feature extraction process by utilizing the recommended EGOA scheme. The objective function of this feature extraction technique is formulated in Eq. (27). $\begin{matrix} (27) & ob = \underset{{w^{z}}}{arg max} [cc + ve] \end{matrix}$

Here, the variable $w^{z}$ specifies the weight which is limited from 0.01 to 0.99. The factors $cc$ and $ve$ denote the “correlation coefficient and variance” accordingly. These two factors are mathematically derived as follows.

Correlation coefficient $cc$ : “This is the factor which estimates the linear relationship strength among the two variables in the evaluation of correlation”. It is derived in Eq. (28). $\begin{matrix} (28) & cc = \frac{\sum (a_{i} - \bar{a}) (b_{i} - \bar{b})}{\sqrt{\sum {(a_{i} - \bar{a})}^{2} {(b_{i} - \bar{b})}^{2}}} \end{matrix}$

The factors $a_{i}$ and $b_{i}$ denote the rate of the sample in the terms a and b correspondingly. Then the factors $\bar{a}$ and $\bar{b}$ denote the corresponding mean values of the terms a and b accordingly.

Variance $ve$ :” It is the statistical factor of the spread among the dataset numbers”. It is formulated in Eq. (29). $\begin{matrix} (29) & ve = \frac{\sum {(a_{i} - \bar{a})}^{2}}{m - 1} \end{matrix}$

The term m refers to the total amount of observations. Then the optimized weights $w^{z}$ and the extracted features $G_{m}^{F}$ are multiplied to create the deep weighted features and it is specified as $G_{m}^{FE}$ . Figure 3 depicts the DBN-aided feature extraction process.

5. Detecting the DDoS attack in network using attention and cascaded RNN with residual LSTM

5.1. Attention and cascaded RNN

The RNN [25] is very strongest deep learning categorization approach most importantly for the sequential information. The RNNs are presently a promising approach in speech recognition and “Natural Language Processing (NLP)”.The general RNN has three layers that are named as input, output, and recurrent layers. Here, the extracted features from the DBN $G_{m}^{FE}$ are subjected as input. The input layer includes M inputs. The input layer includes the vector sequences ${\dots, G_{u - 1}^{FE}, G_{u}^{FE}, G_{u + 1}^{FE}, \dots}$ for the time u as an input, here $G_{u}^{FE} = (G_{1}^{FE}, G_{2}^{FE}, \dots, G_{M}^{FE})$ . In the fully connected RNN, the input units are bridged to the “hidden layer’s hidden units”. Here, the connections are specified with the weight matrix $W_{1 I}$ . The hidden units $i_{u} = (i_{1}, i_{2}, \dots, i_{L})$ that are included in the L” hidden layer” are bridged to each other by a period with the recurrent units. The hidden unit initialization by applying the little non-zero factors can raise the stability and the functionality of the system. The memory of the “hidden layer” is derived in Eq. (30). $\begin{matrix} (30) & i_{u} = f_{I} (p_{u}) \end{matrix}$

Here, $\begin{matrix} (31) & p_{u} = W_{1 I} G_{u}^{FE} + W_{I I} i_{u - 1} + e_{i} \end{matrix}$

The bias vector and the activation function in the hidden layers are termed as $e_{i}$ and $f_{I} (∙)$ correspondingly. The hidden units are bridged with the resultant layer with the weighted connections $W_{IP}$ . The resultant layer has Q units that are $z_{u} = (z_{1}, z_{2}, \dots, z_{Q})$ estimated in Eq. (32). $\begin{matrix} (32) & z_{u} = f_{P} (W_{IP} i_{u} + e_{p}) \end{matrix}$

The activation function of the resultant layer and then the bias vector are specified as $f_{P} (∙)$ and $e_{p}$ appropriately.

Attention [ 29 ]: In order to enrich the effectiveness and the correctness of the detection approach the developed “DDoS attack” recognition methodology utilizes the attention concept. For the input with the dimension “keys and the queries, and the dimension values”, the attention’s resultant matrix is given by Eq. (33). $\begin{matrix} (33) & Atn (qy, jy, ve) = soft max (\frac{{(qy * ky)}^{T}}{\sqrt{d_{ky}}}) ve \end{matrix}$

The terms $qy$ and $ky$ point to the query and key matrices appropriately. Then the factor $ve$ refers to the value matrices.

Attention and cascaded RNN: The attention-aided RNN is processed three times for the stable outcomes. This offers very effective features for the “residual LSTM” framework. The attention and cascaded network enhance the classification rates of the DDoS attacks. The attention-based RNN is displayed in Fig. 4.

Fig. 4.

The architecture of the attention-aided RNN for the recommended DDoS attach detection mechanism.

5.2. Residual LSTM

The residual LSTM [18] is adopted for the effective categorization of the “DDoS attacks”. In this network, the attained average-based feature from attention and cascaded RNN is given as an input. The LSTM is recommended to rectify the exploding or vanishing gradients for the RNN. The internal storage cell is presented in the LSTM, which is managed by the “input gate” and the forget gate networks. The forget gate is responsible for defining how much previous memory value must be transferred to the future time stage. At the same time, the input gate measures the new input to the storage cells. Based on the phases of the two gates the LSTM can specify the sequential data’s short-term or the long term. The formulation of the LSTM is provided from Eq. (34) to Eq. (39). $\begin{array}{c} (34) & z_{u}^{l} = σ (W_{y z}^{l} y_{u}^{l} + W_{i z}^{l} i_{u - 1}^{l} + w_{d z}^{l} d_{u - 1}^{l} + c_{z}^{l}) \\ (35) & g_{u}^{l} = σ (W_{y g}^{l} y_{u}^{l} + W_{i g}^{l} i_{u - 1}^{l} + w_{d g}^{l} d_{u - 1}^{l} + c_{g}^{l}) \\ (36) & d_{u}^{l} = g_{u}^{l} . d_{u - 1}^{l} + z_{u}^{l} . tanh (W_{y d}^{l} y_{u}^{l} + W_{i d}^{l} i_{u - 1}^{l} + c_{d}^{l}) \\ (37) & p_{u}^{l} = σ (W_{y p}^{l} y_{u}^{l} + W_{i p}^{l} i_{u - 1}^{l} + w_{d p}^{l} d_{u - 1}^{l} + c_{p}^{l}) \\ (38) & s_{u}^{l} = p_{u}^{l} . tanh (d_{u}^{l}) \\ (39) & i_{u}^{l} = W_{q}^{l} . s_{u}^{l} \end{array}$

The layer index is denoted as l and the output, input and forget gate are given as $p_{u}^{l}$ , $z_{u}^{l}$ and $g_{u}^{l}$ correspondingly. The variable $y_{u}^{l}$ represents the $(l - 1)$ th layer input and the variable $i_{u - 1}^{l}$ indicates the lth output layer at the period. Also, the internal cell state is indicated as $d_{u}^{l}$ for the period $u - 1$ . The projection matrix $W_{q}^{l}$ is utilized in order to minimize the dimension of $s_{u}^{l}$ .

Fig. 5.

The framework of the residual LSTM for the suggested DDoS attach detection mechanism.

The residual LSTM initiates with the goal that the disconnection of the “spatial domain shortcut path” with the cell upgrade of the temporal domain can provide good flexibility to handle the exploding or vanishing gradients. The residual LSTM is not gathering the highway route in the internal memory cell. Rather the shortcut route is joined to the output layer of the LSTM. The derivations from Eq. (34) to Eq. (37) the derivations were not changed in the residual LSTM. The upgraded derivations are offered from Eq. (40) to Eq. (42). $\begin{array}{c} (40) & s_{u}^{l} = tanh (d_{u}^{l}) \\ (41) & n_{u}^{l} = W_{q}^{l} . s_{u}^{l} \\ (42) & i_{u}^{l} = p_{u}^{l} . (n_{u}^{l} + W_{i}^{l} y_{u}^{l}) \end{array}$

Here the variable $W_{i}^{l}$ may be exchanged by the identity matrix if the size of the term $y_{u}^{l}$ equals the variable $i_{u}^{l}$ . For the equalized dimension Eq. (42) was modified as Eq. (43). $\begin{matrix} (43) & i_{u}^{l} = p_{u}^{l} . (n_{u}^{l} + y_{u}^{l}) \end{matrix}$

The highway route is enabled always for the residual LSTM so the scaling variable is on the primary way outcome.

The residual LSTM’s framework is illustrated in Fig. 5.

5.3. Suggested ACRNN-RLSTM for detection

The attention and cascaded RNN help to design the flexible network for the “DDoS attack” identification and this technique enhances the correctness. At the same time, the residual LSTM improves the functionality of the network and manages the long-term dependencies. However, the attention and cascaded RNN make it hard to process the longer sequences and have vanishing gradient issues. The residual LSTM needs more time to train the data and requires extra attributes. To conquer the issues in the traditional residual LSTM and the attention and cascaded RNN, both techniques are integrated and called ACRNN-RLSTM. The process of the ACRNN-RLSTM is given as follows.

ACRNN-RLSTM: Initially, the extracted features from the DBN using RBM $G_{m}^{FE}$ are given as an input for the attention and cascaded RNN where the attention-based RNN is three times processed. The three important features from the attention and cascaded RNN are calculated to estimate the average and then the resultant feature is offered as an input for the residual LSTM. It detects the DDoS attacks effectively with minimum error rates. Finally, the DDoS attack-detected data is achieved with the support of the ACRNN-RLSTM technique. By employing the recommended ACRNN-RLSTM method, the DDoS attack has been detected accurately. Further, with the support of dataset 1, the benign, DDoS-PSH-ACK, and DDoS-ACK attacks have been classified. Moreover, dataset 2 helps to categorize the normal traffic and attack traffic. Diagrammatically the architecture of ACRNN-RLSTM is depicted in Fig. 6.

Fig. 6.

The diagrammatic illustration of the suggested ACRNN-RLSTM for the detection mechanism of a DDoS attack.

6. Results and discussion

6.1. Implemented dataset details

The implemented DDoS attack identification mechanism utilizes the below data resources. Table 1 shows the detailed descriptions of the data assets that are utilized in the recommended DDoS attack detection approach.

From the above utilized data resources the acquired data is denoted as $G_{m}$ , here $m = 1, 2, 3, \dots, M$ and the variable M points the total attained data.

6.2. Simulation setup

The suggested “DDoS attack” identification methodology was executed in Python and the successful outcomes were accomplished. The population and the maximum execution of the implemented attack detection approach are 10 and 50 correspondingly. Also, the chromosome length of the recommended “DDoS attack” detection approach was decided according to the number of hidden neuron counts. Several traditional optimization approaches such as “Tuna Swarm Optimization (TSO) [31], Beluga Whale Optimization (BWO) [37], CuttleFish Optimization (CO) [13], and GOA [23]” were utilized for the examination of the suggested DDoS detection framework. In addition, some of the traditional classifiers such as “LSTM [3], RNN [25], Resnet [7], and EfficientNet [26]” were adopted for the examination of the suggested DDoS attack detection process.

Table 1
Dataset descriptions of the recommended DDoS detection approach

“Dataset” “Link” “Descriptions”

1 (“APA-DDoS Dataset”) “https://www.kaggle.com/datasets/yashwanthkumbam/apaddos-dataset: access date: 2023-08-07” This corresponding data source includes 3 files with 23 columns. It is employed by the programmers to improve the identification ratio by the modules of detection.

2 (“WUSTL-IIOT-2018 Dataset”) “https://www.cse.wustl.edu/~jain/iiot/index.html: access date: 2023-08-07” It is employed for the cyber security experiments and developed with the support of a “SCADA system”.

“Dataset”	“Link”	“Descriptions”
1 (“APA-DDoS Dataset”)	“https://www.kaggle.com/datasets/yashwanthkumbam/apaddos-dataset: access date: 2023-08-07”	This corresponding data source includes 3 files with 23 columns. It is employed by the programmers to improve the identification ratio by the modules of detection.
2 (“WUSTL-IIOT-2018 Dataset”)	“https://www.cse.wustl.edu/~jain/iiot/index.html: access date: 2023-08-07”	It is employed for the cyber security experiments and developed with the support of a “SCADA system”.

Fig. 7.

The confusion matrix evaluation of the recommended DDoS attack identification mechanism in terms of “(a) Dataset-1 and (b) Dataset-2”.

Fig. 8.

The ROC evaluation of the implemented DDoS attack identification mechanism over numerous traditional techniques regarding “(a) Dataset-1 and (b) Dataset-2”.

Fig. 9.

The convergence calculation of the implemented EGOA algorithm over diverse classical algorithms concerning “(a) Dataset-1 and (b) Dataset-2”.

Table 2

The statistical examination of the designed EGOA over diverse classical optimization algorithms

Statistics	TSO [31]	BWO [37]	DO [13]	GOA [23]	EGOA
“Dataset 1”
“BEST”	5.560765247	4.163997013	4.532754213	4.715128407	2.753192041
“WORST”	1.381010793	1.398385434	1.287604896	1.296331786	0.997315671
“MEAN”	1.823759632	1.642732921	1.845940951	1.631121062	1.048577804
“MEDIAN”	1.61804927	1.412063853	1.335576295	1.49432699	1.024223346
“STD”	0.705452979	0.534360931	0.863910964	0.599054099	0.243861937
“Dataset 2”
“BEST”	2.679012318	2.129279488	2.629169295	4.031114915	1.42675673
“WORST”	1.281104289	1.291630238	1.366952758	1.441652413	0.806744284
“MEAN”	1.46091221	1.44014896	1.619601202	1.566946128	0.893299604
“MEDIAN”	1.281104289	1.38271421	1.544784651	1.441652413	0.806744284
“STD”	0.42244779	0.208058995	0.269426322	0.449079247	0.199763076

6.3. Evaluation metrics

The factors which are utilized for validating the recommended DDoS attack detection mechanism are described here.

Accuracy: “This is utilized to estimate the relationship among the source and the resultant data”. $\begin{matrix} (44) & Ac = \frac{k j + m l}{k j + m l + s r + u t} \end{matrix}$

NPV: “This refers to the likelihood associated with the negative research outcome that separately not provided the specific problem.” $\begin{matrix} (45) & NPV = \frac{k j}{k j + u t} \end{matrix}$

FPR: “This calculates the measure that is identified by error”. $\begin{matrix} (46) & FPR = \frac{s r}{s r + k j} \end{matrix}$

F1-score:” This is measured as the rate among the recall and precision factor’s balanced value”. $\begin{matrix} (47) & F 1 Score = 2 \times \frac{m l \times s r}{m l + s r} \end{matrix}$

FDR: “This is the examination of referring the both TP and FP values”. $\begin{matrix} (48) & FDR = \frac{s r}{k j + s r} \end{matrix}$

Fig. 10.

The performance examination of the designed DDoS attack identification approach over numerous classical algorithms for the first dataset concerning “(a) Accuracy, (b) F1-score, (c) precision and (d) recall”.

Fig. 11.

The performance examination of the implemented DDoS attack detection approach over various traditional classifiers for the first dataset concerning “(a) Accuracy, (b) F1-score, (c) precision and (d) recall”.

Fig. 12.

The performance examination of the designed DDoS attack detection approach over numerous classical algorithms for the second dataset concerning “(a) accuracy, (b) F1-score, (c) precision and (d) recall”.

Fig. 13.

The performance examination of the designed DDoS attack detection approach over numerous classical techniques for the second dataset concerning “(a) accuracy, (b) F1-score, (c) precision and (d) recall”.

Sensitivity: “This is the less absolute number of the changes that could be detected by the metric”. $\begin{matrix} (49) & Sen = \frac{k j}{k k + m l} \end{matrix}$

Specificity: “This is the estimation of the likelihood of the negative ratio”. $\begin{matrix} (50) & spec = \frac{s r}{s r + u t} \end{matrix}$

Recall: “It is the factor that evaluates the amount of correct positive measures in the total positive values”. $\begin{matrix} (51) & Re = \frac{m l}{m l + u t} \end{matrix}$

MCC: “This is the changes between the recognized data and the raw data”. $\begin{matrix} (52) & MCC = \frac{u t \times m l - n m \times m l}{\sqrt{(u t + k j) (u t + m l) (k k + s r) (k j + u t)}} \end{matrix}$

Precision:” This is the same measure of the attack identified and the localized solutions”. $\begin{matrix} (53) & pre = \frac{k j}{k j + m l} \end{matrix}$

Here, the factors $u t$ and $s r$ point to the “false negative and the false positive values” appropriately. Moreover, the terms $k j$ and $m l$ refer to the “true positive and the true negative values” accordingly.

6.4. The confusion matrix estimation of the suggested DDoS attack detection mechanism

The suggested “DDoS attack” identification approach is investigated with confusion matrix analysis for the two data sources and shown in Fig. 7. The accuracy is taken as a primary factor for this operation. The solutions portrayed that the implemented DDoS attack identification approach attained high correctness for the two data resources.

6.5. The ROC evaluation of the implemented DDoS attack identification approach over various traditional classifiers

Figure 8 displays the estimation of ROC for the implemented “DDoS attack” identification approach over diverse existing classifiers for the two data assets. FPR is utilized for the estimation of ROC. For the second dataset in Fig. 8 (b), when the FPR rate is 0.2, the ROC value of the designed “DDoS attack” identification process is advanced by 85% of LSTM, 90% of RNN, 95% of Resnet, and 97.5% of EfficientNet appropriately. The suggested DDoS attack detection mechanism attained better functionalities which are confirmed by the outcomes.

6.6. The convergence examination of the suggested EGOA algorithm over diverse classical algorithms

The convergence of the introduced EGOA scheme is validated against multiple conventional algorithms for two data resources and is depicted in Fig. 9. Here, the convergence is examined with the help of the iteration counts. The recommended EGOA’s convergence is raised by 76% of TSO, 85% of BWO, 80% of DO, and 83% of GOA accordingly when concentrating the first dataset iteration value as 10 in Fig. 9 (a). The recommended EGOA scheme has higher convergence than the traditional optimization mechanisms and that is proved in this examination.

6.7. The statistic investigation of the implemented EGOA algorithm over various classical algorithms

The suggested EGOA is statistically validated against various traditional algorithms for the two benchmark sources and illustrated in Table 2. For the second data asset, the recommended EGOA is enriched by 64% of TSO, 61.7% of BWO, 80.8% of DO, and 75.2% of GOA correspondingly when taking the mean measure. This shows the efficient functionalities of the introduced EGOA.

6.8. The performance estimation of the implemented DDoS attack identification framework over numerous algorithms and techniques

Figure 10 and Fig. 11 display the performance validation of the implemented DDoS attack identification mechanism against diverse classical algorithms and techniques for the first dataset. Furthermore, Fig. 12 and Fig. 13 provide the performance examination of the suggested DDoS attack identification mechanism against divergent traditional algorithms and classifiers for the second dataset. By focusing on the epoch values the functionality of the recommended “DDoS attack” identification is validated. For the first data resource, the epoch value is 150 in Fig. 10 (a) the suggested DDoS attack detection approach’s accuracy is raised by 40.6% of TSO, 42% of BWO, 38.3% of DO, and 39.3% of GOA accordingly. From the overall solution, it is assured that the designed “DDoS attack” identification mechanism overcomes all other classical approaches.

6.9. Overall comparative calculation of the implemented DDoS attack identification framework over diverse algorithms and techniques

The implemented DDoS attack detection approach’s overall comparison is provided in Table 3 and Table 4 over diverse algorithms and techniques for the two data assets. The suggested DDoS attack detection technique’s accuracy is advanced by 48.3% of LSTM, 9.6% of RNN, 29% of Resnet, and 9.6% of EfficientNet for the second dataset. The overall estimation outcomes showed that the implemented DDoS attack identification approach has better effectiveness than the existing techniques.

Table 3
The overall comparative validation of the suggested DDoS attack identification mechanism over diverse optimization algorithms for the two datasets

Terms TSO [31] BWO [37] DO [13] GOA [23] EGOA

“Dataset 1”

“Accuracy” 89.40866667 87.61266667 93.043 91.203 94.93033333

“Recall” 89.387 87.612 93.049 91.175 94.921

“Specificity” 89.4195 87.613 93.04 91.217 94.935

“Precision” 80.85808879 77.95632908 86.98688405 83.84601944 90.35706466

“FPR” 10.5805 12.387 6.96 8.783 5.065

“FNR” 10.613 12.388 6.951 8.825 5.079

“NPV” 94.39805333 93.39708124 96.39902399 95.38583805 97.39470323

“FDR” 19.14191121 22.04367092 13.01311595 16.15398056 9.642935336

“F1-Score” 84.90890438 82.50261317 89.91588112 87.35705971 92.58282086

“MCC” 0.770108639 0.732636355 0.847266749 0.807964801 0.887976512

“Dataset 2”

“Accuracy” 85.886 91.1945 89.393 87.646 93.0485

“Recall” 85.881 91.185 89.369 87.641 93.051

“Specificity” 85.891 91.204 89.417 87.651 93.046

“Precision” 85.88958896 91.20232844 89.41191772 87.64976498 93.04634768

“FPR” 14.109 8.796 10.583 12.349 6.954

“FNR” 14.119 8.815 10.631 12.359 6.949

“NPV” 85.88241176 91.18667453 89.37410043 87.64223578 93.05065253

“FDR” 14.11041104 8.797671558 10.58808228 12.35023502 6.953652317

“F1-Score” 85.88529426 91.1936634 89.39045371 87.64538227 93.04867378

“MCC” 0.717720004 0.823890015 0.787860091 0.752920004 0.860970001

Terms	TSO [31]	BWO [37]	DO [13]	GOA [23]	EGOA
“Dataset 1”
“Accuracy”	89.40866667	87.61266667	93.043	91.203	94.93033333
“Recall”	89.387	87.612	93.049	91.175	94.921
“Specificity”	89.4195	87.613	93.04	91.217	94.935
“Precision”	80.85808879	77.95632908	86.98688405	83.84601944	90.35706466
“FPR”	10.5805	12.387	6.96	8.783	5.065
“FNR”	10.613	12.388	6.951	8.825	5.079
“NPV”	94.39805333	93.39708124	96.39902399	95.38583805	97.39470323
“FDR”	19.14191121	22.04367092	13.01311595	16.15398056	9.642935336
“F1-Score”	84.90890438	82.50261317	89.91588112	87.35705971	92.58282086
“MCC”	0.770108639	0.732636355	0.847266749	0.807964801	0.887976512
“Dataset 2”
“Accuracy”	85.886	91.1945	89.393	87.646	93.0485
“Recall”	85.881	91.185	89.369	87.641	93.051
“Specificity”	85.891	91.204	89.417	87.651	93.046
“Precision”	85.88958896	91.20232844	89.41191772	87.64976498	93.04634768
“FPR”	14.109	8.796	10.583	12.349	6.954
“FNR”	14.119	8.815	10.631	12.359	6.949
“NPV”	85.88241176	91.18667453	89.37410043	87.64223578	93.05065253
“FDR”	14.11041104	8.797671558	10.58808228	12.35023502	6.953652317
“F1-Score”	85.88529426	91.1936634	89.39045371	87.64538227	93.04867378
“MCC”	0.717720004	0.823890015	0.787860091	0.752920004	0.860970001

Table 4

The overall comparative validation of the suggested DDoS attack identification mechanism over diverse techniques for the two datasets

Terms	LSTM [3]	RNN [25]	Resnet [7]	EfficientNet [26]	ACRNN-RLSTM
“Dataset 1”
“Accuracy”	88.515	92.12333333	90.28833333	93.99266667	94.93033333
“Recall”	88.505	92.113	90.294	94.007	94.921
“Specificity”	88.52	92.1285	90.2855	93.9855	94.935
“Precision”	79.40160589	85.4036864	82.29268248	88.65573956	90.35706466
“FPR”	11.48	7.8715	9.7145	6.0145	5.065
“FNR”	11.495	7.887	9.706	5.993	5.079
“NPV”	93.90298883	95.89526605	94.89901565	96.91025139	97.39470323
“FDR”	20.59839411	14.5963136	17.70731752	11.34426044	9.642935336
“F1-Score”	83.70652354	88.63155261	86.10786609	91.25298492	92.58282086
“MCC”	0.751417754	0.82757149	0.788674105	0.867707638	0.887976512
“Dataset 2”
“Accuracy”	88.534	92.158	90.3	93.9885	93.0485
“Recall”	88.556	92.152	90.293	93.987	93.051
“Specificity”	88.512	92.164	90.307	93.99	93.046
“Precision”	88.5170525	92.16305957	90.30564279	93.98981969	93.04634768
“FPR”	11.488	7.836	9.693	6.01	6.954
“FNR”	11.444	7.848	9.707	6.013	6.949
“NPV”	88.55096242	92.15294165	90.29435879	93.98718038	93.05065253
“FDR”	11.4829475	7.836940433	9.69435721	6.010180305	6.953652317
“F1-Score”	88.53652197	92.15752945	90.29932095	93.98840983	93.04867378
“MCC”	0.770680075	0.843160006	0.806000008	0.87977	0.860970001

6.10. K-fold validation of the designed DDoS attack identification process

K-fold validation of the designed DDoS attack identification process has been conducted over some of the machine learning techniques and is shown in Table 5 for both datasets. In this analysis, the estimation of the K-fold has partitioned the overall dataset into 5 sets. For instance, while focussing the 100 data for estimation (i) 1-fold contains 1–20, (ii) 2-fold includes 21–40, (iii) 3-fold contains 41–60, (iv) 4-fold includes 61–80, and (v) 5-fold contains 81-100. If the 1-fold estimation has been taken, where a testing stage is performed on 1 set and the remaining set of information has been utilized for the training stage. According to this, the evaluation has been conducted and this estimation is continued until the effective outcomes have been attained. The presented work attained the highest accuracy while performing the 5 fold analysis. The designed system’s accuracy is enriched by 8.7% of Resnet, 7.4% of EfficientNet, 5.6% of Autoencoders, and 3.4% of Federated Markov chains for the first dataset. Hence, it is revealed that the designed model overcomes the traditional machine learning techniques and attained highly effective solutions.

Table 5
K-fold validation of the designed DDoS attack identification model over various machine learning algorithms for the two datasets

Terms Resnet [7] EfficientNet [26] Autoencoder [10] Federated Markov chains [9] ACRNN-RLSTM

“Dataset 1”

“Accuracy” 86.58854167 87.890625 89.58333333 91.66666667 94.93033333

“Sensitivity” 86.56716418 86.94029851 89.92537313 91.79104478 94.921

“Specificity” 86.6 88.4 89.4 91.6 94.935

“Precision” 77.59197324 80.06872852 81.97278912 85.41666667 90.35706466

“FPR” 13.4 11.6 10.6 8.4 5.065

“FNR” 13.43283582 13.05970149 10.07462687 8.208955224 5.079

“NPV” 86.6 88.4 89.4 91.6 97.39470323

“FDR” 22.40802676 19.93127148 18.02721088 14.58333333 9.642935336

“F1-Score” 81.83421517 83.36314848 85.76512456 88.48920863 92.58282086

“MCC” 0.715231456 0.740242561 0.777860443 0.821022297 0.887976512

“Dataset 2”

“Accuracy” 86.06770833 87.5 89.19270833 91.27604167 93.0485

“Sensitivity” 86.56716418 86.94029851 89.17910448 91.04477612 93.051

“Specificity” 85.8 87.8 89.2 91.4 93.046

“Precision” 76.56765677 79.25170068 81.56996587 85.0174216 93.04634768

“FPR” 14.2 12.2 10.8 8.6 6.954

“FNR” 13.43283582 13.05970149 10.82089552 8.955223881 6.949

“NPV” 85.8 87.8 89.2 91.4 93.05065253

“FDR” 23.43234323 20.74829932 18.43003413 14.9825784 6.953652317

“F1-Score” 81.26094571 82.91814947 85.20499109 87.92792793 93.04867378

“MCC” 0.705742323 0.732899442 0.769080998 0.812273071 0.860970001

Terms	Resnet [7]	EfficientNet [26]	Autoencoder [10]	Federated Markov chains [9]	ACRNN-RLSTM
“Dataset 1”
“Accuracy”	86.58854167	87.890625	89.58333333	91.66666667	94.93033333
“Sensitivity”	86.56716418	86.94029851	89.92537313	91.79104478	94.921
“Specificity”	86.6	88.4	89.4	91.6	94.935
“Precision”	77.59197324	80.06872852	81.97278912	85.41666667	90.35706466
“FPR”	13.4	11.6	10.6	8.4	5.065
“FNR”	13.43283582	13.05970149	10.07462687	8.208955224	5.079
“NPV”	86.6	88.4	89.4	91.6	97.39470323
“FDR”	22.40802676	19.93127148	18.02721088	14.58333333	9.642935336
“F1-Score”	81.83421517	83.36314848	85.76512456	88.48920863	92.58282086
“MCC”	0.715231456	0.740242561	0.777860443	0.821022297	0.887976512
“Dataset 2”
“Accuracy”	86.06770833	87.5	89.19270833	91.27604167	93.0485
“Sensitivity”	86.56716418	86.94029851	89.17910448	91.04477612	93.051
“Specificity”	85.8	87.8	89.2	91.4	93.046
“Precision”	76.56765677	79.25170068	81.56996587	85.0174216	93.04634768
“FPR”	14.2	12.2	10.8	8.6	6.954
“FNR”	13.43283582	13.05970149	10.82089552	8.955223881	6.949
“NPV”	85.8	87.8	89.2	91.4	93.05065253
“FDR”	23.43234323	20.74829932	18.43003413	14.9825784	6.953652317
“F1-Score”	81.26094571	82.91814947	85.20499109	87.92792793	93.04867378
“MCC”	0.705742323	0.732899442	0.769080998	0.812273071	0.860970001

6.11. Discussion

The implemented DDoS attack detection system has been implemented successfully and contrasted with various traditional meta-heuristic and classifiers. In Section 6.4, the confusion matrix analysis has been done for the two standard data sources. By employing the actual and prediction values, the estimation has been conducted for the system. From this analysis, it has been revealed that the implemented system produces more accurate values than the other techniques. In Section 6.5, the ROC evaluation has been performed for the two data sources by varying the FPR values over numerous traditional classifiers. From the outcomes, it is shown that the designed ACRNN-RLSTM has acquired lower error rates than the other attack detection techniques. Further, Section 6.6 shows the convergence estimation of the designed EGOA by varying the iteration values over numerous conventional techniques. The outcomes display that the implemented EGOA model attained higher convergence than the other models that support to discover the optimal solutions. Next, Section 6.7 illustrates the statistical analysis of the designed EGOA over other classical algorithms for the two data sources. This result highlighted that the designed EGOA has a high potential in optimizing the attributes. The performance investigation of the implemented task has been provided in Section 6.8 over diverse algorithms and detection techniques for two data sources by varying the epochs. From these estimations, it has been proved that the designed DDoS attack detection model attained its supremacy over other techniques. Moreover, the solutions produce the high accurate outcomes than the other techniques. Section 6.9 illustrates the overall comparative evaluation of the designed model over diverse algorithms and techniques for two resources. From the overall analysis, it has been highlighted that the designed model has superior outcomes than the others. Finally, the K-fold validation has been conducted over numerous machine learning algorithms in Section 6.10. This analysis showcased the efficacy of the designed system. Hence, it has been portrayed that the implemented DDoS attack detection approach identifies the attacks more effectively and precisely than the baseline techniques.

7. Conclusion

The effective mechanism for the detection of DDoS threats has been constructed by utilizing the attention-assisted deep learning techniques. In the beginning, the required data was garnered from the online resources. Further, the achieved data was subjected to the feature extraction section, where the features were extracted from the RBM by adopting the DBN. Here, the network hyper-parameters were optimized by applying the suggested EGOA. This EGOA improved the network functionality and diminished the execution time. Lastly, the collected features were subjected to the technique called ACRNN-RLSTM. This network identified the attacks presented in the network and categorized them. In the end, the functionality of the approach was examined by multiple factors and contrasted with other conventional mechanisms. The implemented “DDoS attack” identification mechanism’s accuracy was advanced by 57.75% of TSO, 55.5% of BWO, 56% of DO, and 57% of GOA appropriately when the epoch value was 200 for the second dataset. Thus, the simulation outcomes were attained that confirmed the efficacy of the system for forecasting and avoiding the “DDoS attacks”. The implemented DDoS attack detection system didn’t utilize the attack mitigation strategies that will support to improve the network performance rates. In the future direction, with the support of the advanced techniques, the attack mitigation strategies will be introduced, and also the data confidentiality of the designed work will be enhanced. Moreover, the implemented system will be extended to detect and categorize the larger and more complex attacks.

Conflict of interest

The authors have no conflict of interest to report.

References

Agarwal,

Khari and

Singh, Detection of DDOS attack using deep learning model in cloud storage application, Wireless Personal Communications 127 (2022), 419–439. doi:10.1007/s11277-021-08271-z.

Ahmad,

Wan and

Ahmad, A big data analytics for DDOS attack detection using optimized ensemble framework in Internet of things, Internet of Things 23 (2023). doi:10.1016/j.iot.2023.100890.

Alkahtani and

T.H.

Aldhyani, Botnet attack detection by using CNN-LSTM model for Internet of things applications, Security and Communication Networks (2021), 1–23.

P.J.

Beslin Pajila,

Golden Julie and

Y.H.

Robinson, FBDR-fuzzy based DDoS attack detection and recovery mechanism for wireless sensor networks, Wireless Personal Communications 122 (2022), 3053–3083. doi:10.1007/s11277-021-09040-8.

Cai,

Jia,

Adepu,

Li and

Yang, ADAM: An adaptive DDoS attack mitigation scheme in software-defined cyber-physical system, IEEE Transactions on Industrial Informatics 19(6) (2023), 7802–7813. doi:10.1109/TII.2023.3240586.

Cao,

Jiang,

Deng,

Wu,

Zhou and

Luo, Detecting and mitigating DDoS attacks in SDN using spatial-temporal graph convolutional network, IEEE Transactions on Dependable and Secure Computing 19(6) (2022), 3855–3872.

Chen,

Xie,

Zhang and

Xu, ResNet and model fusion for automatic spoofing detection, in: Interspeech, 2017, pp. 102–106. doi:10.21437/Interspeech.2017-1085.

Cherian and

S.L.

Varma, Secure SDN–IoT framework for DDoS attack detection using deep learning and counter based approach, Journal of Network and Systems Management 31(54) (2023).

D’Angelo,

Farsimadan,

Ficco,

Palmieri and

Robustelli, Privacy-preserving malware detection in Android-based IoT devices through federated Markov chains, Future Generation Computer Systems 148 (2023), 93–105. doi:10.1016/j.future.2023.05.021.

10.

D’Angelo,

Farsimadan and

Palmieri, Recurrence plots-based network attack classification using CNN-autoencoders, in: International Conference on Computational Science and Its Applications, 2023, pp. 191–209.

11.

Dong and

Sarem, DDoS attack detection method based on improved KNN with the degree of DDoS attack in software-defined networks, IEEE Access 8 (2020), 5039–5048. doi:10.1109/ACCESS.2019.2963077.

12.

Dong and

Sarem, DDoS attack detection method based on improved KNN with the degree of DDoS attack in software-defined networks, IEEE Access 8 (2020), 5039–5048. doi:10.1109/ACCESS.2019.2963077.

13.

A.S.

Eesa,

Orman and

A.M.A.

Brifcani, A novel feature-selection approach based on the cuttlefish optimization algorithm for intrusion detection systems, Expert systems with applications 42(5) (2015), 2670–2679. doi:10.1016/j.eswa.2014.11.009.

14.

A.A.

Elsaeidy,

Jamalipour and

K.S.

Munasinghe, A hybrid deep learning approach for replay and DDoS attack detection in a smart city, IEEE Access 9 (2021), 154864–154875. doi:10.1109/ACCESS.2021.3128701.

15.

Erhan and

Anarim, Hybrid DDoS detection framework using matching pursuit algorithm, IEEE Access 8 (2020), 118912–118923. doi:10.1109/ACCESS.2020.3005781.

16.

Fadaei Fouladi,

Ermiş and

Anarim, A DDoS attack detection and countermeasure scheme based on DWT and auto-encoder neural network for SDN, Computer Networks 214 (2022).

17.

W.I.

Khedr,

A.E.

Gouda and

E.R.

Mohamed, FMDADM: A multi-layer DDoS attack detection and mitigation framework using machine learning for stateful SDN-based IoT networks, IEEE Access 11 (2023), 28934–28954. doi:10.1109/ACCESS.2023.3260256.

18.

Kim,

El-Khamy and

Lee, Residual LSTM: Design of a deep recurrent architecture for distant speech recognition, 2017, arXiv.

19.

Mahdavi Hezavehi and

Rahmani, An anomaly-based framework for mitigating effects of DDoS attacks using a third party auditor in cloud computing environments, Cluster Computing 23 (2020), 2609–2627. doi:10.1007/s10586-019-03031-y.

20.

Makuvaza,

D.S.

Jat and

A.M.

Gamundani, Deep neural network (DNN) solution for real-time detection of distributed denial of service (DDoS) attacks in software defined networks (SDNs), SN Computer Science 2(107) (2021).

21.

X.-H.

Nguyen and

K.-H.

Le, Robust detection of unknown DoS/DDoS attacks in IoT networks using a hybrid learning model, Internet of Things 23 (2023).

22.

Oluchi Anyanwu,

C.I.

Nwakanma,

J.-M.

Lee and

D.-S.

Kim, Optimization of RBF-SVM kernel using grid search algorithm for DDoS attack detection in SDN-based VANET, IEEE Internet of Things Journal 10(10) (2023), 8477–8490.

23.

J.-S.

Pan,

L.-G.

Zhang,

R.-B.

Wang,

Snasel and

S.-C.

Chu, Gannet optimization algorithm: A new metaheuristic algorithm for solving engineering optimization problems, Mathematics and Computers in Simulation 202 (2022), 343–373. doi:10.1016/j.matcom.2022.06.007.

24.

Raghava Swamy Dora and

Naga Lakshmi, Optimal feature selection with CNN-feature learning for DDoS attack detection using meta-heuristic-based LSTM, International Journal of Intelligent Robotics and Applications 6 (2022), 323–349. doi:10.1007/s41315-022-00224-4.

25.

Salehinejad,

Sankar,

Barfett,

Colak and

Valaee, Recent advances in recurrent neural networks, 2018, arXiv.

26.

S.B.

Sandouka,

Bazi and

M.M.

Al Rahhal, EfficientNet Combined with Generative Adversarial Networks for Presentation Attack Detection, IEEE, 2020, pp. 1–5.

27.

Toklu and

Şimşek, Two-layer approach for mixed high-rate and low-rate distributed denial of service (DDoS) attack detection and filtering, Arabian Journal for Science and Engineering 43 (2018), 7923–7931. doi:10.1007/s13369-018-3236-9.

28.

J.E.

Varghese and

Muniyal, An efficient IDS framework for DDoS attacks in SDN environment, IEEE Access 9 (2021), 69680–69699. doi:10.1109/ACCESS.2021.3078065.

29.

Wang,

Xu,

Yana,

Sun and

Chen, Intelligent Bearing Fault Diagnosis Using Multi-Head Attention-Based CNN, Elsevier, 2020.

30.

Wang and

Yang, An intelligent method for real-time detection of DDoS attack based on fuzzy logic, Journal of Electronics (China) 25 (2008), 511–518. doi:10.1007/s11767-007-0056-6.

31.

Xie,

Han,

Zhou,

Z.R.

Zhang,

Han and

Tang, Tuna swarm optimization: A novel swarm-based metaheuristic algorithm for global optimization, Computational intelligence and Neuroscience (2021), 1–22. doi:10.1155/2021/9696472.

32.

Xunyi,

Ruchuan and

Haiyan, Wavelet analysis method for detection of DDoS attack on the basis of self-similarity, Frontiers of Electrical and Electronic Engineering in China 2 (2007), 73–77. doi:10.1007/s11460-007-0013-z.

33.

Yu,

Yang and

Tang, A Novel Multistage Deep Belief Network Based Extreme Learning Machine Ensemble Learning Paradigm for Credit Risk Assessment, Springer, 2015.

34.

Yu,

Zhang,

Liu,

Zhang,

Li and

Xu, A cooperative DDoS attack detection scheme based on entropy and ensemble learning in SDN, EURASIP Journal on Wireless Communications and Networking 90 (2021).

35.

N.M.

Yungaicela-Naula,

Vargas-Rosales,

J.A.

Perez-Diaz,

Jacob and

Martinez-Cagnazzo, Physical assessment of an SDN-based security framework for DDoS attack mitigation: Introducing the SDN-SlowRate-DDoS dataset, IEEE Access 11 (2023), 46820–46831. doi:10.1109/ACCESS.2023.3274577.

36.

Zakaria Bawany,

J.A.

Shamsi and

Salah, DDoS attack detection and mitigation using SDN: Methods, practices, and solutions, Arabian Journal for Science and Engineering 42 (2017), 425–441. doi:10.1007/s13369-017-2414-5.

37.

Zhong,

Li and

Meng, Beluga whale optimization: A novel nature-inspired metaheuristic algorithm, Knowledge-Based Systems 251(109215) (2022).

38.

Zhou,

Zheng,

Jia and

Shu, Collaborative prediction and detection of DDoS attacks in edge computing: A deep learning-based approach with distributed SDN, Computer Networks 225 (2023).