In e na ional Jou nal o Wi eless & Mobile Ne wo ks (IJWMN), Vol.17, No. 4, Augus 2025
DOI:10.5121/ijwmn.2025.17407 87
FORECASTING FUTURE DDOS ATTACKS USING
LONG SHORT TERM MEMORY (LSTM) MODEL
Kong Mun Yeen 1, Ra idah Md Noo 1, Wahidah Md Shah 2, Aslinda Hassan 2
and Muhammad Umai Muni 1
1 Facul y o Compu e Science and In o ma ion Technology, Uni e si i Malaya, Kuala
Lumpu , Malaysia
2 Fakul i Teknologi Makluma dan Komunikasi (FTMK), Uni e si i Teknikal Malaysia
Melaka (UTeM)
ABSTRACT
This pape o ecas s u u e Dis ibu ed Denial-o -Se ice (DDoS) a acks using deep lea ning models.
Al hough se e al s udies add ess o ecas ing DDoS a acks, hey emain ela i ely limi ed compa ed o
de ec ion- ocused esea ch. By s udying he cu en ends and o ecas ing based on newe and upda ed
da ase s, mi iga ion plans agains he a acks can be planned and o mula ed. The me hodology used in his
esea ch wo k con o ms o he C oss Indus y S anda d P ocess o Da a Mining (CRISP-DM) model.
Le e aging cybe a ack da a om he COVID-19 pe iod (2019–2020), sou ced om Digi al A ack Map
and compiled by A bo Ne wo ks, he s udy aims o iden i y ecen a ack ends and o ecas u u e ac i i y
o suppo p oac i e mi iga ion s a egies. The da ase was examined using s a is ical analysis echniques
o iden i y p e ailing pa e ns, wi h emphasis on he equency o a acks, he du a ion o a ack ins ances,
and he maximum h oughpu eco ded du ing each inciden . Compa ed o o he deep lea ning models, he
LSTM model is p oposed o i s abili y o lea n long- e m empo al pa e ns in e ol ing DDoS a ic. The
pe o mance o LSTM model was e alua ed using Mean Squa ed E o (MSE) unde a ying neu on
coun s and window sizes. While he model demons a ed limi ed p edic i e accu acy in e ms o absolu e
alues, he isual compa ison be ween he p edic ed and ac ual da a using line cha s e ealed close
alignmen in end pa e ns. This sugges s ha he model cap u es he unde lying empo al dynamics o he
da a, he eby p o iding a p omising ounda ion o u u e model op imiza ion and pe o mance
enhancemen .
KEYWORDS
DDoS A ack, COVID-19 Cybe a ack, Deep Lea ning, LSTM
1. INTRODUCTION
Many cybe a ack me hods a e well known, including bu no limi ed o phishing, spoo ing,
malwa e in ec ions, ansomwa e, and Denial-o -Se ice (DoS) a acks. A DoS a ack occu s
when an a acke a emp s o disable a se ice, se e , o ne wo k. A acke s a emp o make
se ices inaccessible by o e whelming he a ailable esou ces on he hos ing se e ,
in as uc u e and/o sys ems. Howe e , DoS can be easily acked, as i could con ain
in o ma ion abou he a acke ha can be ob ained om ne wo k aces and a ack logs.
Dis ibu ed Denial-o -Se ice (DDoS) is a dis ibu ed o m o he DoS a ack, and i is ha de o
cybe secu i y solu ions such as In usion De ec ion Sys ems (IDS) and In usion P e en ion
Sys ems (IPS) o de ec . This is because he DDoS a acks o igina e om mul iple sou ces and
a ge one o mo e ic ims simul aneously, making i e y di icul o pinpoin he eal sou ce o
he a ack.
In e na ional Jou nal o Wi eless & Mobile Ne wo ks (IJWMN), Vol.17, No. 4, Augus 2025
88
Go e nmen agencies, heal hca e p o ide s, and la ge o ganiza ions a e among he main a ge s
o cybe a acks.[1]. I is also epo ed ha he e is a 372% inc ease in DDoS a acks on heal hca e
o ganiza ions since he end o 2020. In Ge many, he i s a al dea h due o a cybe a ack on a
hospi al was epo ed. A highe inc ease in DDoS a acks was also epo ed by Cloud la e in hei
2021 Q2 secu i y epo [2].By unde s anding he ends o DDoS a ack classes, businesses,
go e nmen s, and o ganisa ions can mi iga e he inciden s by aking p e en i e and
coun e measu es o s eng hen ne wo k secu i y and esiliency owa ds DDoS a ge ed a ack
classes.
1.1. Issues and Challenges
DDoS a acks can gene ally be classi ied as signa u e-based and anomaly-based a acks. Mos
In usion De ec ion Sys ems can de ec signa u e-based a acks, as he e a e pa e ns in he a acks
[3]. Anomaly-based a acks, on he o he hand, do no ha e ixed pa e ns. Hence, i is ha de o
exis ing cybe secu i y solu ions o de ec such a acks. DDoS a acks, which a e cons an ly
changing and e ol ing, will be di icul o o ganiza ions and o he en i ies o keep hei ne wo k
secu i y in check. The inabili y o p edic a acks leads o poo mi iga ion planning, which can
ul ima ely impac business con inui y. I is es ima ed ha losses due o cybe c imes can each
$10.5 illion by 2025[2].Mos exis ing esea ch elies on publicly a ailable da ase s such as
CAIDA (Cen e o Applied In e ne Da a Analysis), NSL-KDD, and CICIDS2017 (da ase s
a ailable om he Canadian Ins i u e o Cybe secu i y) [4]. These da ase s a e ou da ed and do
no e lec he cu en DDoS a ack ends du ing he COVID-19 pandemic[5]. On op o ha ,
exis ing de ec ion models p oposed by esea che s a e mo e ocused on p o ocol and applica ion
and ne wo k laye a acks, ins ead o anspo a ion o exploi a ion- ype a acks[3], [6]. This will
po en ially inc ease he alse nega i es when he da ase s do no con ain new ypes o DDoS
a acks. Many esea che s ha e p esen ed se e al app oaches o de ec ing and p edic ing DDoS
a acks using a ious machine lea ning algo i hms. One o he main limi a ions o machine
lea ning me hods is he amoun o da a hey can p ocess and he ime needed o p ocess i . This is
in compa ison o he deep lea ning app oach, which can handle mo e da a[5]. A s udy om
Sahoo e al.[7]shows ha using deep lea ning is p o en o be e y e icien in p edic ing DDoS
a acks.
1.2. Po en ial Solu ions
In he s udy o DDoS a acks, he Long Sho -Te m Memo y (LSTM) and Recu en Neu al
Ne wo k (RNN) a e some o he echniques used o de elop he machine-lea ning-based
de ec ion and p edic ion models o DDoS a acks. LSTM and RNN belong o he amily o deep
lea ning algo i hms. This is due o he abili y o his amily o deep lea ning algo i hms.LSTM is
conside ed one o he mos e ec i e echniques o p edic ing nonlinea , ime- a ian da a
compa ed o o he neu al ne wo k and machine lea ning me hods[3]. This e ec i eness is due o
he abili y o LSTM o lea n longe his o ical da a and he abili y o sol e he g adien p oblems
associa ed wi h he Back P opaga ion RNN echnique [8]. LSTM has also been s udied o o he
ime-se ies-based o ecas ing, such as a ic speeds and he s ock ma ke .A p edic i e sys em,
a he han one limi ed o de ec ion, would allow he use o o ganisa ion o p e-emp i ely
p oduce a mi iga ion plan o de ending agains such a acks.The p oposed solu ion is a p ocess
o p edic ing DDoS a ack ends using da ase s ga he ed om 2019-2021 (du ing he COVID-19
pandemic). Sec ion 2 p o ides li e a u e e iews o p e ious esea ch ela ed o his esea ch
opic. Sec ion 3 p esen s he me hodology used in he end s udy and p edic ion o DDoS a acks.
I explains a ious ools and me hods ha ha e been employed in his esea ch. Sec ion 4 epo s
indings and explains in de ail he in e p e a ion o he indings. Finally, sec ion 6 concludes his
esea ch and po en ial u u e wo k.
In e na ional Jou nal o Wi eless & Mobile Ne wo ks (IJWMN), Vol.17, No. 4, Augus 2025
89
2. RELATED WORK
The COVID-19 pandemic has gi en oppo uni ies o many cybe a acks, a ge ing a ious
o ganisa ions and c i ical in as uc u e ac oss he globe, including bu no limi ed o heal hca e
se ices [9]. Many ypes o a acks we e disco e ed, such as phishing, malwa e, communica ions
pla o m comp omise (e.g., Zoom, Mic oso Teams), and Denial-o -Se ice (DoS). DoS and
Dis ibu ed DoS (DDoS) a e e y popula ypes o a ack globally due o hei being easy o
implemen bu a lo ha de o de end agains . Due o his, i could be seen as he mos dange ous
ype o cybe a ack [5].
In a s udy om Khan e . al [10], he op en deadly cybe -secu i y h ea s we e iden i ied du ing
he COVID-19 pandemic. By analysing he ange o cybe a ack inciden s, he s udy ound loose
co ela ions be ween key e en s o announcemen s and cybe a acks. Among he op 10 h ea s,
DDoS is he op- anked a ack as seen by mos go e nmen and heal hca e o ganisa ions. The
jou nal concludes ha wi h he ise o ubiqui ous compu ing, he e is an inc ease in cybe secu i y
h ea s as well, hus en o cing he need o inc ease igilance in de ending agains hem. Figu e 1
ca ego ises he DDoS a ack ypes, he de ec ion and mi iga ion me hods. I also highligh s
p edic ion ools and echniques, emphasizing deep lea ning (e.g., LSTM), machine lea ning,
s a is ical, and knowledge-based app oaches.
Figu e 1. Taxonomy o DDoS
2.1. DDoS P edic ion Algo i hms
The e m p edic ion can be qui e misleading and is used in e changeably in he e iewed jou nals,
which led o a lo o con usion. The e m p edic ion could b ing di e en meanings, depending on
he con ex and usage: de ec ing i a DDoS a ack is being deployed, classi ying he ype o DDoS
a ack when de ec ed, o o ecas ing he u u e end o DDoS a acks.
In he majo i y o he jou nals, he con ex o p edic ion e e s o p edic ing i a DDoS a ack is
happening and classi ying he ype o a ack. In o he jou nals o simila esea ch opics, his is
also e e ed o as DDoS de ec ion. The ocus o hese jou nals is he s udy o ea u es om
ne wo k measu emen logs, such as Wi esha k aces, o de e mine i an a ack is happening on
he in as uc u e and sys ems.
When a DDoS a ack is de ec ed, he nex s ep is o classi y he ype o DDoS a ack o
immedia ely eac app op ia ely agains he a ack. This ask may euse he same ea u es ha a e
employed by DDoS de ec ion algo i hms. The opic o classi ica ion is gene ally discussed in he
same jou nals ha s udy he DDoS de ec ion mechanisms.
In e na ional Jou nal o Wi eless & Mobile Ne wo ks (IJWMN), Vol.17, No. 4, Augus 2025
90
A mino i y o jou nals esea ched he opic o p edic ing DDoS a acks on he p emise o
de e mining when he a ack will happen in he u u e, based on ime-based his o ical da a o
known a acks. In some jou nals, his con ex o p edic ion is also called o ecas ing. This
esea ch p ojec ’s ocus is on his con ex o p edic ion.
2.1.1. Machine Lea ning Algo i hms
Machine lea ning algo i hms can be gene ally ca ego ized in o h ee ypes: supe ised,
unsupe ised, and semi-supe ised. In supe ised lea ning, da a a e labelled and used o ain
models ha classi y ne wo k a ic acco ding o a ack pa e ns. The model “lea ns” hese
pa e ns om a la ge da ase and p oduces a i ed model applicable o simila unseen da a[11]. In
unsupe ised machine lea ning, da a lack labels and a e g ouped in o clus e s based on
simila i ies o lea ned h esholds, while semi-supe ised lea ning e e s o bo h labelled and
unlabelled da a. Howe e , con en ional machine lea ning o en s uggles o handle la ge-scale
ne wo k a ic e ec i ely. In con as , deep lea ning echniques ha e demons a ed supe io
pe o mance, p oducing lowe e o a es and highe accu acy[12].Resea che s ha e explo ed
mul iple deep lea ning me hods o p edic DDoS a acks, such as deep mul ilaye pe cep ons
(MLP), ecu en neu al ne wo ks (RNN), long sho - e m memo y (LSTM), con olu ional neu al
ne wo ks (CNN), and hyb id combina ions, o enhance DDoS de ec ion and o ecas ing [8], [13].
Fo example, in [14], Nadeem e al. speci ically add essed he challenge o low- a e DDoS (LR-
DDoS) de ec ion in So wa e-De ined Ne wo ks (SDN), whe e adi ional app oaches o en ail
due o he s eal hy na u e o a ack a ic. They p oposed an RNN-based amewo k ha ex ac s
low-le el ea u es om he CIC DoS 2017 da ase (con e ed ia CICFlowMe e ) and deploys
he model wi hin an SDN con olle o eal- ime de ec ion. Using Minine and Ryu con olle in
hei expe imen al se up, he me hod achie ed 98.59% de ec ion accu acy, which esul ed in
ou pe o ming con en ional classi ie s such as Random Fo es , SVM, MLP, and CNN. Thei
esul s demons a ed ha RNNs can e ec i ely cap u e hidden sequen ial dependencies in a ic
lows ha make hem highly sui able o de ec ing low- a e DDoS a acks in p og ammable
ne wo k en i onmen s.
Simila ly, ano he s udy [15], showed ha RNNs achie ed lowe e o a es compa ed wi h
Random Fo es and demons a ed hei abili y o cap u e longe - e m his o ical dependencies,
he eby imp o ing de ec ion pe o mance. In addi ion, Hnam e e al. [16] p oposed a- wo-s age
deep lea ning model combining LSTM and Au oencode (LSTM-AE) o ne wo k in usion
de ec ion. The au ho s e alua ed his on CICIDS2017 and CSE-CICIDS2018 da ase s; he hyb id
model showed obus de ec ion capabili ies ha signi ican ly educed bo h alse posi i es and
alse nega i es in dynamic a ack scena ios. Some o he main ea u es used in iden i ying a
DDoS a ack a e he numbe o packe s, he ime i akes o send he packe s, he packe a e, and
he bi a e. Machine lea ning-based de ec ion has been used by IDS and IPS solu ions oo[17].
Se e al machine lea ning algo i hms ha e been deployed o his pu pose, including bu no
limi ed o Naï e Bayes, Random Fo es , J48 Decision T ee, Suppo Vec o Machine (SVM),
Decision T ee, and Mul ilaye Pe cep on (MLP). By using he said models, de ec ion and
classi ica ion o DDoS a acks can achie e beyond 90% accu acy a e, some e en eaching
99%.Suppo Vec o Machine (SVM) and Linea Reg ession a e p oposed by De i S e al. [18] o
p edic and classi y DDoS a acks on Cloud se ices. To classi y DoS and DDoS a acks, SVM is
used as i can be ke nelized o sol e non-linea classi ica ion p oblems. Linea Reg ession is used
o isualizing and o ecas ing u u e a acks, due o i s abili y o p edic a ge a iables on a
con inuous scale. The app oach o he o ecas is o de e mine i packe s ecei ed a e sen by an
au hen ic use o by an a acke . I is ound ha SVM is qui e sui able o he classi ica ion o
UDP-based a acks and somewha sui able o TCP a acks. Bu Linea Reg ession is no sui able
o o ecas ing as i has a high Mean Squa edE o o 488.25 o he aining da ase and 473.56
o he es da ase .
In e na ional Jou nal o Wi eless & Mobile Ne wo ks (IJWMN), Vol.17, No. 4, Augus 2025
91
Resea ch in Dis ibu ed Denial-o -Se ice (DDoS) a ack de ec ion has employed a ious
machine lea ning (ML) and deep lea ning me hods o enhance p edic ion accu acy. Sahoo e
al.[7] e alua ed se en ML algo i hms, k-Nea es Neighbou (KNN), Naï e Bayes (NB), Suppo
Vec o Machine (SVM), Random Fo es (RF), Linea Reg ession, A i icial Neu al Ne wo k
(ANN), and Decision T ees, ocusing on de ec ing Smu , UDP Flood, and HTTP Flood a acks.
Thei compa a i e analysis demons a ed he a ying s eng hs o each algo i hm in classi ying
a ack ypes. In a di e en app oach, Alguliye e al. [19] p oposed p edic ing DDoS a acks
using social media ex analysis, speci ically Twi e da a om he USA. By pe o ming
sen imen analysis and employing Con olu ional Neu al Ne wo k (CNN) and an enhanced Long
Sho -Te m Memo y (LSTM) model, hei me hod achie ed a p edic ion accu acy o 0.77,
highligh ing he po en ial o non-ne wo k da a sou ces in p oac i e a ack o ecas ing.
Simila ly,[20]explo ed deep lea ning app oaches o DDoS a acks o ecas ing, compa ing RNN,
LSTM, and GRU algo i hms, and ound ha LSTM ou pe o ms o he DL and machine lea ning
models in p edic ing DDoS a ic wi h high accu acy up o 20 seconds ahead. The
la es s udy[21] e alua es mul i a ia e LSTM models o p edic ing DDoS a acks, compa ing
hei pe o mance wi h o he machine lea ning models on he CICDDoS2019 da ase , achie ing
signi ican ly be e esul s han exis ing echniques in p e en ing and mi iga ing DDoS a acks.
On he o he hand, Messaoud [22]uses LSTM o classi y ne wo k a ic, which achie es supe io
pe o mance in cap u ing empo al dependencies in ne wo k a ic.
Deep lea ning has also been le e aged o mo e complex pa e n ecogni ion. Yuan e
al.[15]de eloped a Bidi ec ional Recu en Neu al Ne wo k (Bi-RNN) model ha p ocessed
sequences o ne wo k a ic aces om la ge da ase s, e ec i ely educing he e o a e om
7.517% o 2.103% compa ed o con en ional ML models. The s udy sugges ed u u e esea ch
should explo e mo e di e se DDoS ec o s and a ied sys em se ings. Mo e ecen ly, Be ei e
al.[23]used expe imen al da ase s o DoS, DDoS, and no mal a ic o e alua e RF, KNN, and
SVM models, achie ing accu acy le els abo e 99%. Thei use o double ea u e selec ion p o ed
e ec i e in mi iga ing o e i ing, educing model complexi y, and imp o ing bo h aining and
p edic ion e iciency. Mo e ecen ly, A aji e al. [24] examined deep lea ning-d i en de enses
o DDoS a acks in cloud en i onmen s. The au ho s ca ego ized he h ea s in o olume ic,
p o ocol, and applica ion-laye ypes. While CNNs, LSTMs, RNNs, and Au oencode s achie ed
de ec ion accu acies abo e 99%, he au ho s no ed key challenges including imbalanced da ase s,
high compu a ional cos , and he “black-box” na u e o DL models.
In addi ion, Kuma e al. [25] p oposed a p oac i e DDoS de ec ion amewo k using mul iple
deep lea ning a chi ec u es, including DNN, CNN, and LSTM, ha was ained on he
CICDDoS2019 da ase . To imp o e e iciency, he au ho s applied Pea son Co ela ion-based
ea u e selec ion o emo e edundan a ibu es be o e aining. Thei e alua ion showed ha he
DNN model achie ed he highes accu acy (98.31%), ollowed by CNN (97.27%) and LSTM
(96.78%). While DNN exhibi ed he bes o e all classi ica ion pe o mance, LSTM eco ded he
lowes log-loss (0.45) and high ecall, making i well-sui ed o sequence-based de ec ion
scena ios. These indings ein o ce ha di e en deep lea ning a chi ec u es p o ide dis inc
s eng hs, wi h DNN excelling in accu acy, CNN in spa ial ea u e ex ac ion, and LSTM in
empo al pa e n ecogni ion, highligh ing he po en ial o ensemble o hyb id designs o
p oac i e DDoS de ense. Simila ly, Saini e al. [26] p oposed a syn hesized K- old c oss-
alida ion app oach o imp o e he obus ness o DDoS de ec ion using mul iple ML classi ie s.
Thei amewo k was es ed on se e al widely used da ase s, including CICIDS2017,
CICDDoS2019, CSE-CICIDS2018, and NDSec-1, p o iding a b oad e alua ion ac oss di e en
a ic condi ions. The esul s showed ha Random Fo es consis en ly achie ed he highes
de ec ion accu acy (up o 99.98%), while o he classi ie s such as Decision T ees, Logis ic
Reg ession, and k-NN also pe o med well on ce ain da ase s. By combining K- old alida ion
wi h di e se ML models, hei app oach educed a iance, imp o ed gene aliza ion, and p o ided
In e na ional Jou nal o Wi eless & Mobile Ne wo ks (IJWMN), Vol.17, No. 4, Augus 2025
92
a mo e eliable benchma k o selec ing sui able algo i hms in p ac ical DDoS de ec ion
scena ios.
2.2. DDoS P e en ion and Mi iga ion
Bha dwaj e . al [27] s udy shows ha he e is no one-sho comp ehensi e coun e measu e agains
each known DDoS a ack. This inc eases he complica ion when cybe a acke s keep coming up
wi h new ec o h ea sand a ack de i a i es ha can a oid de ec ion by IDS and IPS solu ions.
Hence, hey conclude ha mo e esea ch is needed o design and de elop e ec i e DDoS
p e en ion and mi iga ion solu ions. Due o he di icul y o de ec ing and p edic ing DDoS
a acks in ad ance, a he momen , he ideal ime o mi iga e DDoS a acks would be a he
beginning o he a ack execu ion, p e en ing i om a i ing a he a ge . This app oach is also
p oposed by Jog e al.[12] by o ecas ing a acks using he ARIMA model. O he mi iga ion s eps
also include keeping up o da e wi h secu i y pa ches. This helps o p e en exploi a ion-based
a acks ha a ge laws in he implemen a ion o speci ic p o ocols.
P anggono & A abo [28]p o ides a holis ic iew o how mi iga ion and p e en ion o cybe -
a acks and DDoS can be app oached p ac ically. The p e en i e s eps do no ocus on DDoS
only, as any weak poin s can be exploi ed and con ibu e o DDoS a acks. Use educa ion is e y
impo an o b ing awa eness o how e e y pe son and sys em con ibu es o a secu e
in as uc u e. The use o Vi ual P i a e Ne wo ks (VPN) when wo king emo ely allows a
secu e wo king en i onmen , p e en ing a acke s om in e cep ing communica ions. Mul i-
ac o au hen ica ion (MFA) s eng hens accoun logins o p e en unau ho ised access. All
so wa e applica ions and i mwa e e sions should be up o da e wi h he la es secu i y pa ches
o p e en exploi a ion by a acke s.In line wi h p oac i e de ense, Bi i e al. [29] p oposed a
o ecas ing-based solu ion o DDoS a acks. Thei sys em combines ime-se ies o ecas ing and
online change-poin de ec ion o an icipa e ab up shi s in a ack a ic olume. By dynamically
selec ing among mul iple s a is ical models and using change-poin ale s o adap he algo i hm
models, he app oach o ecas s a ack low coun s in eal ime. The au ho s e alua ed he
p oposed algo i hm on he CICDDoS2019 da ase , and i signi ican ly ou pe o med adi ional
me hods like ARIMA and Exponen ial Smoo hing. Thei design includes a decision-making
module ha , based on o ecas ed a ack le els, igge s ea ly ale s so adminis a o s can ini ia e
coun e measu es be o e a acks peak.
Mo e ecen ly, Gilma y e al. [30] de eloped an in elligen p e en ion and mi iga ion sys em
designed o So wa e-De ined Ne wo king (SDN). Thei app oach uses a deep neu al ne wo k
(DNN) model ained on eal ne wo k a ic o quickly ell apa no mal and malicious lows.
The sys em i s collec s and il e s a ic ea u es (such as packe size, low du a ion, and
p o ocol ype) using me hods like PCA and Recu si e Fea u e Elimina ion (RFE). These ea u es
a e hen ed in o he DNN, which classi ies he a ic in eal ime. Once an a ack is de ec ed, he
SDN con olle can e ou e a ic, upda e low ules, o apply a e limi s o educe he a ack’s
impac while keeping legi ima e a ic unning. Thei expe imen s showed high accu acy (abo e
95%) and ewe alse posi i es, p o ing he me hod is e ec i e o la ge-scale en i onmen s like
sma ci y da a cen e s. Howe e , he au ho s also poin ed ou some challenges, including he
need o la ge, labelled da ase s, high compu a ional cos , and sensi i i y o ad e sa ial a acks.
They sugges ed ha u u e imp o emen s could come om semi-supe ised lea ning and s onge
anomaly de ec ion echniques. Simila ly, Ga ba e al. [31] p oposed a eal- ime DDoS de ec ion
and mi iga ion amewo k o SDN-enabled sma home ne wo ks. Thei sys em combines
machine lea ning classi ie s (Decision T ee, SVM, KNN, Logis ic Reg ession) wi h a SNORT
in usion de ec ion sys em o p o ec bo h IoT de ices and he SDN con olle .
In e na ional Jou nal o Wi eless & Mobile Ne wo ks (IJWMN), Vol.17, No. 4, Augus 2025
93
Real-wo ld es bed expe imen s showed ha Decision T ees achie ed he bes pe o mance wi h
up o 99.5% de ec ion accu acy, while SNORT e ec i ely p e en ed he con olle om being
aken o line du ing TCP SYN lood a acks. The amewo k also applied ea u e selec ion (e.g.,
PCA) o educe edundancy and imp o e e iciency. The au ho s no ed limi a ions such as da ase
size, need o labelled da a, and exclusion o deep lea ning, sugges ing u u e ex ensions wi h
scalable DL me hods. Exis ing esea ch poses se e al challenges, including he lack o up- o-da e
da ase s ( he la es a ailable is he CICDDoS2019 da ase ), speci ic DDoS a ack ypes, limi ed
ea u e selec ion p ocesses (speci ic DDoS a ack ypes), and he need o scalable ML models.
Fu he mo e, while deep lea ning has shown p omise, i s eal-wo ld deploymen easibili y
emains an open ques ion due o compu a ional cons ain s. This s udy aims o b idge hese gaps
by u ilizing he da ase du ing he COVID-19 pandemic o sys ema ically compa e eal ne wo k
a ic wi h he p edic ion by modelling ime-se ies cha ac e is ics o a ack olume, du a ion, and
h oughpu , he eby suppo ing he de elopmen o mo e esilien and o wa d-looking
cybe secu i y solu ions.
3. METHODOLOGY
To ensu e a s uc u ed and goal-d i en app oach, he CRISP-DM (C oss Indus y S anda d
P ocess o Da a Mining) amewo k is adop ed. This me hodology p o ides a comp ehensi e
guide h ough six key phases— om unde s anding he p oblem con ex and p epa ing he
da ase , o model building, e alua ion, and deploymen . Howe e , in his a icle, deploymen is
excluded.
3.1. Da ase Sc aping
The da ase is sc aped om he Digi al A ack Map websi e (h ps://www.digi ala ackmap.com).
The websi e p o ides li e da a isualiza ion o DDoS a acks a ound he globe. I was buil
h ough a collabo a ion be ween Google Ideas (now known as Google Jigsaw) and A bo
Ne wo ks (now pa o Ne scou Sys ems a e mul iple acquisi ions). The da a is sou ced om
mo e han 330 ISPs in he wo ld. I allows use s o explo e his o ic ends and ind epo s o
ou ages happening on a gi en day, wi h ich isualiza ion op ions and lexible il e ing.
To sc ape he da a, a Ch omium-based b owse was used (shown in Figu e 2). By using he
b owse ’s De elope Tools, he HTTP/HTTPS communica ions be ween he b owse and he
se e can be obse ed. F om he Ne wo k ab, he ile a acks_ 2.json is ound and sepa a ely
downloaded om h ps://www.gs a ic.com/ddoz- iz/a acks_ 2.json. The size o he ile is 163.4
Megaby es.
Figu e 2. Sc aping da a using Ch omium-based b owse
In e na ional Jou nal o Wi eless & Mobile Ne wo ks (IJWMN), Vol.17, No. 4, Augus 2025
94
3.2. Da a Unde s anding
Since he da a is sc aped om a sou ce wi h no documen a ion, i is c i ical o explo e and
unde s and wha is a ailable in he da a and how i can be used. Due o he size o he ile,
common and popula ex edi o s such as No epad++ canno be used as he so wa e would c ash
om he size. So, he ile is explo ed using Py hon and i s ele an lib a ies. The da a was
con e ed in o a pandas Da aF ame o ma o easie handling and explo a ion.
This s ep aims o unde s and he da ase in a e y gene al manne , he size, scale, and con en s o
he da a. The da ase consis s o 9 ea u es (columns) and 192,525 samples ( ows). As he e is no
p ope documen a ion ound om he websi e on wha he columns and alues ep esen , he
de ini ions o he columns a e assumed and desc ibed in Table 1. Some o hese columns will be
used o in e o he in o ma ion ha is use ul o s a is ical analysis and aining o he LSTM
p edic ion model.
Table 1. Da ase column desc ip ion
Columnname
Da a ype
Assumed column desc ip ion
a ack_class
STRING
Class o a ack ype. In his da ase , he alues a e Misuse o De ec o .
ds _cc
[]STRING
An a ay o des ina ion coun ies o sys ems unde a ack.
ds _po s
[]STRING
An a ay o des ina ion coun ies o sys ems unde a ack.
max_bps
INTEGER
The maximum bi a e ha ’s logged du ing he a ack in bi s pe second.
s c_cc
[]STRING
An a ay o sou ce coun ies o he a acke .
s c_po s
[]INTEGER
An a ay o sou ce po s o he a acke .
s a
TIMESTAMP
S a ime o he a ack in Unix imes amp.
s op
TIMESTAMP
S op ime o he a ack in Unix imes amp.
subclass
STRING
Subclass o he a ack ype. In his da ase , he alues a e Bandwid h,
DNS Misuse, ICMP, IP F agmen , P o ocol, TCPRST, TCPSYN, To al
T a ic, and UDP Misuse.
Fo his esea ch p ojec , he s udy is done on a global basis. Wi h his conside a ion, he
ollowing columns a e d opped om he da ase : ds _cc, ds _po s, s c_cc, and s c_po s.In his
da ase , he a acks a e di ided in o he ca ego ies as shown in Table 2. Hence, o he es o his
esea ch p ojec , only he a ack subclass is used.
Table 2. A ack classes
A ackClass
A ackSubclass
TCPConnec ion
TCPSYN
TCPRST
TCPACK
P o ocol
Volume ic
UDPMisuse
ICMP
Bandwid h
To alT a ic
F agmen a ion
IPF agmen
Applica ion
DNSMisuse
In e na ional Jou nal o Wi eless & Mobile Ne wo ks (IJWMN), Vol.17, No. 4, Augus 2025
95
3.3. Da a P e-p ocessing
Da a p e-p ocessing is an impo an s ep in mos da a analysis ac i i ies o p o ide an app op ia e
pla o m o s a is ical analysis and c ea e an accu a e p edic ion model. The da ase may con ain
nume ous ambigui ies, duplica es, e o s, and edundan alues. Some alues a e also equi ed o
be cleaned o massaged o be used e ec i ely. The app oach o da a cleansing is o i s iden i y
he ea u es and a ge a iables in he da ase . Then quickly e iew he da ase ’s alue
dis ibu ion o he ea u es o check o anomalies wi h he alues and decide on he da a
cleansing and massaging app oach. Fo una ely, he da ase is al eady clean wi h no missing
alues and imbalances. The nex s ep is o massage he da a o mo e in o ma ion.
3.3.1. Da a Massaging
In he p e ious s ep, some use ul columns we eal eady iden i ied. Con e sions and calcula ions
a e pe o med on he exis ing columns o en ich he da ase o be e s a is ical analysis and
p edic ion modelling.
A. Times amp con e sion
The columns s a and s op a e in Unix imes amp o ma . I is con e ed in o a human- eadable
o ma and s o ed in he columns s a ime and s op ime wi h he pandas imes amp o ma .
B. Yea ly, Mon hly, Weekly, and Daily
To simpli y he agg ega ion o da a, columns o yea s, mon hs, weeks, and da es a e c ea ed by
ex ac ing he in o ma ion om he column s a ime. The agg ega ed da a is only used o
isualiza ion in cha s and ables. Addi ionally, daily agg ega ed da a is used as he inpu da ase
o he LSTM model o o ecas ing u u e DDoS a ack ends. Fo epo ing he s a is ical alues,
only he o iginal da a se is used. Fo example, he mon hly agg ega ed da a is no de i ed om
daily agg ega ed da a, as his will calcula e a e ages om a e aged da a and will cause
inaccu acies.
C. Coun
The column coun is added wi h he alue 1.0 o simpli y he coun ing o a acks by subclasses
and yea ly/mon hly/weekly/daily pe iods. When agg ega ed, he sum is used.
D. Du a ion_min
A new column du a ion_min is added ha con ains he a ack du a ion ia he o mula (S op –
S a )/60, o calcula e he a ack du a ion in minu es. When agg ega ed, he a e age o mean is
calcula ed.
E. Max_gbps
The o iginal column epo s his da a in bi s pe second (bps). The alues a e con e ed o
Gigabi s pe second (Gbps) o easie in e p e a ion. When agg ega ed, he a e age o mean is
calcula ed.
In e na ional Jou nal o Wi eless & Mobile Ne wo ks (IJWMN), Vol.17, No. 4, Augus 2025
102
Figu e 9. The E ol ing Th ea Landscape o DDoS A acks
5. CONCLUSIONS
The LSTM model appea s o be an e ec i e app oach o p edic inga ack ends, e en hough
he model e alua ion is no e y conclusi e. This is based on how close he p edic ed end line is
compa ed o he ac ual da a.In u u e esea ch, i is p oposed o use an upda ed da a se ha
con ains a be e classi ica ion o a acks and mo e dimensions. This allows o mo e
comp ehensi e s a is ical analysis pe dimension, o example, by indus y. New a ack ypes may
ha e also been disco e ed and classi ied acco dingly. The p oposed LSTM model could also be
enhanced u he o imp o e he p edic ion o i egula spikes by adjus ing mo e hype pa ame e s
a ailable o he model o by adding mo e laye s o he neu al ne wo k. Addi ionally, a o ecas ing
model ha u ilizes mo e ea u es o p edic he nex imes ep alue can be de eloped.
ACKNOWLEDGEMENTS
The au ho s would like o hank he Cen e o Ad anced Compu ing Technology (C-ACT),
Fakul i Teknologi Makluma dan Komunikasi (FTMK), Uni e si i Teknikal Malaysia Melaka.
REFERENCES
[1] S. N. Las Name and F. N. Las Name, “Analysis on o he e ol ing cybe -a ack ends du ing
COVID-19 pandemic,” In . J. Sci. Res. (Raipu ), ol. 10, no. 4, pp. 139–144, Ap . 2021.
[2] R. Khweiled, Pales ine Technical Uni e si y - Kadoo ie, Facul y o G adua e S udies, Tulka em,
P.O. Box 7, Pales ine, M. Jazza , and D. Eleyan, “Cybe c imes du ing COVID -19 Pandemic,” In .
J. In . Eng. Elec on. Bus., ol. 13, no. 2, pp. 1–10, Ap . 2021.
[3] M. Shu man, R. Kh ais, and A. Ya eem, “DoS and DDoS a ack de ec ion using deep lea ning and
IDS,” In . A ab J. In . Technol., ol. 17, no. 4A, pp. 655–661, July 2020.
[4] D.-D. P edic ing, Re iew and E alua ion S udy o Fea u e Selec ion Me hods based on W appe
P ocess.
[5] I. O e Lopes, D. Zou, F. A. Ruambo, S. Akba , and B. Yuan, “Towa ds e ec i e de ec ion o
ecen DDoS a acks: A deep lea ning app oach,” Secu . Commun. Ne w., ol. 2021, pp. 1–14,
No . 2021.
[6] Machine Lea ning Techniques used o he De ec ion and Analysis o Mode n Types o DDoS
A acks.
[7] K. S. Sahoo, A. Iqbal, P. Mai i, and B. Sahoo, “A machine lea ning app oach o p edic ing DDoS
a ic in so wa e de ined ne wo ks,” in 2018 In e na ional Con e ence on In o ma ion
Technology (ICIT), IEEE, Dec. 2018. doi: 10.1109/ici .2018.00049.
[8] M. A shi, M. D. Nas een, and K. Madha i, “A su ey o DDOS a acks using machine lea ning
echniques,” E3S Web Con ., ol. 184, p. 01052, 2020.
In e na ional Jou nal o Wi eless & Mobile Ne wo ks (IJWMN), Vol.17, No. 4, Augus 2025
103
[9] B. Lindemann, T. Mülle , H. Vie z, N. Jazdi, and M. Wey ich, “A su ey on long sho - e m
memo y ne wo ks o ime se ies p edic ion,” P ocedia CIRP, ol. 99, pp. 650–655, 2021.
[10] N. A. Khan, S. N. B ohi, and N. Zaman, “Ten deadly cybe secu i y h ea s amid COVID-19
pandemic,” May 12, 2020. doi: 10.36227/ ech xi .12278792. 1.
[11] H. Wang and Y. Li, “O e iew o DDoS a ack de ec ion in so wa e-de ined ne wo ks,” IEEE
Access, ol. 12, pp. 38351–38381, 2024.
[12] M. Jog, M. Na u, and S. Shelke, “Dis ibu ed and p edic i e-p e en i e de ense agains DDoS
a acks,” in P oceedings o he 16 h In e na ional Con e ence on Dis ibu ed Compu ing and
Ne wo king, New Yo k, NY, USA: ACM, Jan. 2015. doi: 10.1145/2684464.2684503.
[13] E. Yang, S. Jeong, and C. Seo, “Ha nessing ea u e p uning wi h op imal deep lea ning based
DDoS cybe a ack de ec ion on IoT en i onmen ,” Sci. Rep., ol. 15, no. 1, p. 17516, May 2025.
[14] M. W. Nadeem, H. G. Goh, Y. Aun, and V. Ponnusamy, “A ecu en neu al ne wo k based
me hod o low- a e DDoS a ack de ec ion in SDN,” in 2022 3 d In e na ional Con e ence on
A i icial In elligence and Da a Sciences (AiDAS), IEEE, Sep . 2022, pp. 13–18.
[15] X. Yuan, C. Li, and X. Li, “DeepDe ense: Iden i ying DDoS a ack ia deep lea ning,” in 2017
IEEE In e na ional Con e ence on Sma Compu ing (SMARTCOMP), IEEE, May 2017. doi:
10.1109/sma comp.2017.7946998.
[16] V. Hnam e, H. Nhung-Nguyen, J. Hussain, and Y. Hwa-Kim, “A no el wo-s age deep lea ning
model o ne wo k in usion de ec ion: LSTM-AE,” IEEE Access, ol. 11, pp. 37131–37148,
2023.
[17] M. A. Talukde e al., “Machine lea ning-based ne wo k in usion de ec ion o big and
imbalanced da a using o e sampling, s acking ea u e embedding and ea u e ex ac ion,” J. Big
Da a, ol. 11, no. 1, Feb. 2024, doi: 10.1186/s40537-024-00886-w.
[18] B. S. Ki u hika De i, V. J. Saglani, A. V. Gup a, and T. Subbulakshmi, “Classi ying and
p edic ing DoS and DDoS a acks on cloud se ices,” in 2018 2nd In e na ional Con e ence on
T ends in Elec onics and In o ma ics (ICOEI), IEEE, May 2018. doi:
10.1109/icoei.2018.8553889.
[19] R. M. Alguliye , R. M. Aliguliye , and F. J. Abdullaye a, “Deep lea ning me hod o p edic ion
o DDoS a acks on social media,” Ad . Da a Sci. Adap . Anal., ol. 11, no. 01n02, p. 1950002,
Ap . 2019.
[20] An icipa ing Cybe Th ea s: Deep Lea ning App oaches o DDoS A acks Fo ecas ing.
[21] P. Kuma , C. Kushwaha, D. Se hi, D. Ghosh, P. Gup a, and A. Vidya hi, “In es iga ing he
pe o mance o mul i a ia e LSTM models o p edic he occu ence o Dis ibu ed Denial o
Se ice (DDoS) a ack,” PLoS One, ol. 20, no. 1, p. e0313930, Jan. 2025.
[22] Classi ica ion O Ne wo k T a ic Using Machine Lea ning Models On The NETML Da ase .
[23] E. Be ei, M. A. Khan, and A. Oun, “Machine lea ning algo i hms o DoS and DDoS cybe a acks
de ec ion in eal- ime en i onmen ,” in 2024 IEEE 21s Consume Communica ions & Ne wo king
Con e ence (CCNC), IEEE, Jan. 2024, pp. 1048–1049.
[24] D. M. A. A. A aji, J. Llo e , and L. Peñal e , “Deep lea ning-d i en de ense s a egies o
mi iga ing DDoS a acks in cloud compu ing en i onmen s,” Cybe Secu i y and Applica ions, no.
100085, p. 100085, Jan. 2025.
[25] R. K. Gu ugubelli, K. Bhukya, and R. Choppa, “P oac i e DDoS a acks de ec ion using deep
lea ning echniques,” IET Con . P oc., ol. 2024, no. 30, pp. 275–280, Ma . 2025.
[26] H. K. Saini, A. P. Sha ma, and G. Kau , “A Syn hesized K- old app oach o De ec ing DDoS
a ack using Machine Lea ning Solu ions,” in 2023 In e na ional Con e ence on In eg a ed
In elligence and Communica ion Sys ems (ICIICS), IEEE, No . 2023. doi:
10.1109/iciics59993.2023.10420932.
[27] A. Bha dwaj, G. V. B. Sub ahmanyam, V. A as hi, H. Sas y, and S. Gounda , “DDoS a acks,
new DDoS axonomy and mi iga ion solu ions — A su ey,” in 2016 In e na ional Con e ence on
Signal P ocessing, Communica ion, Powe and Embedded Sys em (SCOPES), IEEE, Oc . 2016.
doi: 10.1109/scopes.2016.7955549.
[28] B. P anggono and A. A abo, “COVID ‐19 pandemic cybe secu i y issues,” In e ne Technol. Le .,
no. i l2.247, Oc . 2020, doi: 10.1002/i l2.247.
[29] R. Bi i , A. De hab, M. Gue oumi, and F. A. Khan, “DDoS a ack o ecas ing based on online
mul iple change poin s de ec ion and ime se ies analysis,” Mul imed. Tools Appl., ol. 83, no. 18,
pp. 53655–53685, No . 2023.
In e na ional Jou nal o Wi eless & Mobile Ne wo ks (IJWMN), Vol.17, No. 4, Augus 2025
104
[30] R. Gilma y, Ka iya, Man izhi, A unkuma , and A unkuma , “In elligen DDoS a ack p e en ion
and mi iga ion in SDN en i onmen ,” in 2025 In e na ional Con e ence on Mul i-Agen Sys ems
o Collabo a i e In elligence (ICMSCI), IEEE, Jan. 2025, pp. 166–171.
[31] U. H. Ga ba, A. N. Toosi, M. F. Pasha, and S. Khan, “SDN-based de ec ion and mi iga ion o
DDoS a acks on sma homes,” Compu . Commun., ol. 221, pp. 29–41, May 2024.
[32] D. Kwon, H. Kim, D. An, and H. Ju, “DDoS a ack olume o ecas ing using a s a is ical
app oach,” in 2017 IFIP/IEEE Symposium on In eg a ed Ne wo k and Se ice Managemen (IM),
IEEE, May 2017. doi: 10.23919/inm.2017.7987432.
AUTHORS
KONG MUN YEEN is a seasoned elecommunica ions p o essional and Senio
Consul an a O bi age, wi h ex ensi e expe ience deli e ing specialized aining
ac oss Malaysia, Indonesia and many mo e. She has de eloped and conduc ed cou ses
such as Ce i ied In e ne P o ocol Associa e (CIPA), Ce i ied In e ne P o ocol
Enginee (CIPE), GSM & GPRS O e iew, 3G O e iew, and LTE Planning,
Signalling, and Op imiza ion. P e iously a Senio T aine a ULea n, she holds a
Bachelo ’s Deg ee in Elec ical and Elec onics Enginee ing om Uni e si i Tenaga
Nasional (2003) and a Mas e o Da a Science om Uni e si i Malaya (2022).
RAFIDAH MD NOOR ecei ed he BIT deg ee om Uni e si i U a a Malaysia, in 1998, heM.Sc. deg ee
in compu e science om Uni e si i Teknologi Malaysia, in 2000, and he Ph.D.deg ee in Compu e
Science om Lancas e Uni e si y,U.K., in 2010. She is cu en ly a P o esso a heDepa men o
Compu e Sys ems and Technology, Facul y o Compu e Science and In o ma ionTechnology, Uni e si i
Malaya. He esea ch is ela ed o he ield o anspo a ion sys ems in he compu e science esea ch
domain, including ehicula ne wo ks, wi eless ne wo ks, ne wo k mobili y, quali y o se ice,and he
In e ne o Things.
WAHIDAH MD SHAH holds he Bachelo o In o ma ion Technology om Uni e si i
U a a Malaysia, Mas e o Compu e Science om Uni e si i Teknologi Malaysia and
PhD in Compu e Science om Lancas e Uni e si y, UK. She is cu en ly a Senio
Lec u e in he Depa men o Compu e Sys em and Communica ion a Uni e si i
Teknikal Malaysia Melaka. She is a membe o he In o ma ion Secu i y, Digi al
Fo ensic, and Compu e Ne wo king esea ch g oup. He esea ch in e es s include
sys em and ne wo king, wi eless ad-hoc ne wo king, cybe -physical sys ems (CPS) and
IoT ela ed echnology.
ASLINDA HASSAN ecei ed he PhD deg ee in Elec ical Enginee ing, om
Memo ial Uni e si y o New oundland, S . John's, NL, Canada in 2014. She ecei ed
M.Sc. deg ee in Compu e Science, om Uni e si i Teknologi Malaysia (UTM) and
B.Sc. deg ee in Business Adminis a ion wi h hono s, om Uni e si y o Pi sbu gh,
Pi sbu gh, PA, USA in 2001 and 1999, espec i ely. In 2004, she joined Uni e si i
Teknikal Malaysia Melaka, whe e she is cu en ly a Senio Lec u e a Facul y o
In o ma ion and Communica ion Technology. He esea ch in e es s include in
ehicula ad hoc ne wo k, ehicula communica ion, wi eless ad-hoc ne wo k, wi eless
senso ne wo k, wi eless communica ion, ad hoc ou ing p o ocols, cybe -physical sys ems (CPS), In e ne
o Things (IoT), ne wo k pe o mance modelling and analysis as well as ne wo k p og amming in e aces.
MUHAMMAD UMAIR MUNIR ecei ed he B.S.C.S. deg ee (Hons.) om he
Uni e si y o Cen al Punjab, in 2017, and he mas e ’s deg ee in compu e science om
Uni e si i Malaya. He is cu en ly a PhD candida e a Uni e si i Malaya and Resea ch
assis an o P o esso Ra idah Md Noo and Associa e P o esso D . Ismail Ahmedy. His
esea ch in e es s include he In e ne o Things, wi eless senso ne wo ks, ehicula
communica ion, and so wa e quali y.
