A Framework for Network Traffic–Based DDoS Attack Detection and Explanation
Resumo
This paper presents TRACE-NET, an auditable and governed framework for network traffic-based DDoS attack detection and explanation. TRACE-NET combines a traffic classifier with feature attribution to generate instancelevel explanations grounded in observable flow behavior. A deterministic jury score summarizes the epistemic support of each detection by jointly assessing model confidence and the structure of characteristic attributions, penalizing weak, ambiguous, or single-dominant evidence independently of ground truth. A Large Language Model (LLM) is used strictly as a post-hoc translation layer. Experiments on the CICDDoS2019 dataset show that TRACE-NET reduces explanation risk inflation from 88% to 32%,by anchoring explanations to auditable reliability signals, aligning operational security requirements with emerging regulatory demands for transparent, accountable, and risk-aware AI systems in network security.
Referências
Abiramasundari, S. and Ramaswamy, V. (2025). Distributed denial-of-service (ddos) attack detection using supervised machine learning algorithms. Scientific Reports, 15.
Agarwal, C., Tanneru, S. H., and Lakkaraju, H. (2024). Faithfulness vs. plausibility: On the (un)reliability of explanations from large language models.
Ali, T. and Kostakos, P. (2023). Huntgpt: Integrating machine learning-based anomaly detection and explainable ai with large language models (llms).
Batool, A., Zowghi, D., and Bano, M. (2024). Ai governance: A systematic literature review.
BC, C. (2024). Transparency and accountability in ai systems: safeguarding wellbeing in the age of algorithmic decision-making. Frontiers in Human Dynamics.
Breiman, L. (2001). Random forests. Mach. Learn., 45(1):5–32.
Chawla, N., Bowyer, K., Hall, L., and Kegelmeyer, W. (2002). Smote: Synthetic minority over-sampling technique. J. Artif. Intell. Res. (JAIR), 16:321–357.
Chen, T. and Guestrin, C. (2016). Xgboost: A scalable tree boosting system. In Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, page 785–794. ACM.
Choubisa, M., Doshi, R., Khatri, N., and Hiran, K. (2022). A simple and robust approach of random forest for intrusion detection system in cyber security.
Cloudflare (2025). DDoS Threat Report 2025 Q3. [link]. Accessed: 2026-01-14.
Epstein, E. L., Winnicki, J., Sornwanee, T., and Dwaraknath, R. (2025). Llms are over-confident: Evaluating confidence interval calibration with fermieval.
Gaspar, D., Silva, P., and Silva, C. (2024). Explainable ai for intrusion detection systems: Lime and shap applicability on multi-layer perceptron. IEEE Access, 12:30164–30175.
Ghafouri, B., Mohammadzadeh, S., Zhou, J., Nair, P., Tian, J.-J., Tsujimura, H., Goel, M., Krishna, S., Rabbany, R., Godbout, J.-F., and Pelrine, K. (2025). Epistemic integrity in large language models.
Guastalla, M., Li, Y., Hekmati, A., and Krishnamachari, B. (2024). Application of large language models to ddos attack detection. In Smart Systems and IoT: Innovations and Analytics for a Sustainable World, pages 65–78. Springer.
Hill, W., Mason, J., Aldrich, B., Acquaah, Y., and Roy, K. (2025). Enhancing ddos detection in software-defined networking: A machine learning and deep learning approach.
IBM Security and Ponemon Institute (2025). Cost of a data breach report 2025. Technical report, IBM. Annual industry report on data breach costs and trends.
Jamshidi, S., Nikanjam, A., Shahabi, N., Nafi, K., Khomh, F., Keivanpour, S., and Herrero, R. (2025). Think fast: Real-time iot intrusion reasoning using ids and llms at the edge gateway.
Li, C. and Goel, S. (2025). Artificial intelligence auditability and auditor readiness for auditing artificial intelligence systems. International Journal of Accounting Information Systems.
Li, Q., Zhang, Y., Jia, Z., Hu, Y., Zhang, L., Zhang, J., Xu, Y., Cui, Y., Guo, Z., and Zhang, X. (2024). Dollm: How large language models understanding network flow data to detect carpet bombing ddos.
Liu, Z., Wang, Y., Feng, F., Li, Z., and Shan, Y. (2023). A ddos detection method based on feature engineering and machine learning in software-defined networks. Sensors, 23.
Lundberg, S. and Lee, S.-I. (2017). A unified approach to interpreting model predictions.
Markovic, T., Leon, M., Buffoni, D., and Punnekkat, S. (2022). Random forest based on federated learning for intrusion detection.
Wali, S. and Khan, I. (2021). Explainable ai and random forest based reliable intrusion detection system.
Wang, J., Yu, L., Lui, J. C. S., and Luo, X. (2025). Modern ddos threats and countermeasures: Insights into emerging attacks and detection strategies.
Wang, T., Xie, X., Zhang, L., Wang, C., Zhang, L., and Cui, Y. (2024). Shieldgpt: An llm-based framework for ddos mitigation. In APNet 2024: The 8th Asia-Pacific Workshop on Networking, pages 108–114.
Wei, Y., Jang-Jaccard, J., Singh, A., Sabrina, F., and Camtepe, S. (2023). Classification and explanation of distributed denial-of-service (ddos) attack detection using machine learning and shapley additive explanation (shap) methods.
Zhou, Q., Li, R., Xu, L., Nallanathan, A., Yang, J., and Fu, A. (2023). Towards interpretable machine-learning-based ddos detection. SN Comput. Sci., 5(1).
Ziems, N., Liu, G., Flanagan, J., and Jiang, M. (2023). Explaining tree model decisions in natural language for network intrusion detection.
Agarwal, C., Tanneru, S. H., and Lakkaraju, H. (2024). Faithfulness vs. plausibility: On the (un)reliability of explanations from large language models.
Ali, T. and Kostakos, P. (2023). Huntgpt: Integrating machine learning-based anomaly detection and explainable ai with large language models (llms).
Batool, A., Zowghi, D., and Bano, M. (2024). Ai governance: A systematic literature review.
BC, C. (2024). Transparency and accountability in ai systems: safeguarding wellbeing in the age of algorithmic decision-making. Frontiers in Human Dynamics.
Breiman, L. (2001). Random forests. Mach. Learn., 45(1):5–32.
Chawla, N., Bowyer, K., Hall, L., and Kegelmeyer, W. (2002). Smote: Synthetic minority over-sampling technique. J. Artif. Intell. Res. (JAIR), 16:321–357.
Chen, T. and Guestrin, C. (2016). Xgboost: A scalable tree boosting system. In Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, page 785–794. ACM.
Choubisa, M., Doshi, R., Khatri, N., and Hiran, K. (2022). A simple and robust approach of random forest for intrusion detection system in cyber security.
Cloudflare (2025). DDoS Threat Report 2025 Q3. [link]. Accessed: 2026-01-14.
Epstein, E. L., Winnicki, J., Sornwanee, T., and Dwaraknath, R. (2025). Llms are over-confident: Evaluating confidence interval calibration with fermieval.
Gaspar, D., Silva, P., and Silva, C. (2024). Explainable ai for intrusion detection systems: Lime and shap applicability on multi-layer perceptron. IEEE Access, 12:30164–30175.
Ghafouri, B., Mohammadzadeh, S., Zhou, J., Nair, P., Tian, J.-J., Tsujimura, H., Goel, M., Krishna, S., Rabbany, R., Godbout, J.-F., and Pelrine, K. (2025). Epistemic integrity in large language models.
Guastalla, M., Li, Y., Hekmati, A., and Krishnamachari, B. (2024). Application of large language models to ddos attack detection. In Smart Systems and IoT: Innovations and Analytics for a Sustainable World, pages 65–78. Springer.
Hill, W., Mason, J., Aldrich, B., Acquaah, Y., and Roy, K. (2025). Enhancing ddos detection in software-defined networking: A machine learning and deep learning approach.
IBM Security and Ponemon Institute (2025). Cost of a data breach report 2025. Technical report, IBM. Annual industry report on data breach costs and trends.
Jamshidi, S., Nikanjam, A., Shahabi, N., Nafi, K., Khomh, F., Keivanpour, S., and Herrero, R. (2025). Think fast: Real-time iot intrusion reasoning using ids and llms at the edge gateway.
Li, C. and Goel, S. (2025). Artificial intelligence auditability and auditor readiness for auditing artificial intelligence systems. International Journal of Accounting Information Systems.
Li, Q., Zhang, Y., Jia, Z., Hu, Y., Zhang, L., Zhang, J., Xu, Y., Cui, Y., Guo, Z., and Zhang, X. (2024). Dollm: How large language models understanding network flow data to detect carpet bombing ddos.
Liu, Z., Wang, Y., Feng, F., Li, Z., and Shan, Y. (2023). A ddos detection method based on feature engineering and machine learning in software-defined networks. Sensors, 23.
Lundberg, S. and Lee, S.-I. (2017). A unified approach to interpreting model predictions.
Markovic, T., Leon, M., Buffoni, D., and Punnekkat, S. (2022). Random forest based on federated learning for intrusion detection.
Wali, S. and Khan, I. (2021). Explainable ai and random forest based reliable intrusion detection system.
Wang, J., Yu, L., Lui, J. C. S., and Luo, X. (2025). Modern ddos threats and countermeasures: Insights into emerging attacks and detection strategies.
Wang, T., Xie, X., Zhang, L., Wang, C., Zhang, L., and Cui, Y. (2024). Shieldgpt: An llm-based framework for ddos mitigation. In APNet 2024: The 8th Asia-Pacific Workshop on Networking, pages 108–114.
Wei, Y., Jang-Jaccard, J., Singh, A., Sabrina, F., and Camtepe, S. (2023). Classification and explanation of distributed denial-of-service (ddos) attack detection using machine learning and shapley additive explanation (shap) methods.
Zhou, Q., Li, R., Xu, L., Nallanathan, A., Yang, J., and Fu, A. (2023). Towards interpretable machine-learning-based ddos detection. SN Comput. Sci., 5(1).
Ziems, N., Liu, G., Flanagan, J., and Jiang, M. (2023). Explaining tree model decisions in natural language for network intrusion detection.
Publicado
25/05/2026
Como Citar
VIOLA, Roberta; NOGUEIRA, Michele; VELOSO, Adriano.
A Framework for Network Traffic–Based DDoS Attack Detection and Explanation. In: SIMPÓSIO BRASILEIRO DE REDES DE COMPUTADORES E SISTEMAS DISTRIBUÍDOS (SBRC), 44. , 2026, Praia do Forte/BA.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2026
.
p. 15-28.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2026.19395.
