Unsupervised DDoS Detection in High-Speed Networks: An Evaluation Using Real Transit Provider Data
Resumo
Distributed denial-of-service (DDoS) attack detection has been widely studied in the past decade by academia. Despite progress having been made, recent surveys show that detection in environments such as Internet Transit Providers (ITP) remains challenging due to high-speed constraints. This study evaluates four anomaly detection algorithms, namely Autoencoder, Isolation Forest, Local Outlier Factor, and One Class Support Vector Machine, using three datasets collected from operational ITPs during confirmed DDoS attacks. The evaluation considers four temporal aggregation windows and three feature selection configurations, with the objective of analyzing the predictive capacity of the algorithms under different temporal and feature selection settings. The results show that the Autoencoder detection achieved the best results when using the most aggressive feature selection configuration and the shortest temporal aggregation windows.Referências
Bhardwaj, A., Mangat, V., Vig, R., Halder, S., and Conti, M. (2021). Distributed denial of service attacks in cloud: State-of-the-art of scientific and commercial solutions. Computer Science Review, 39:100332.
Cheng, S., Jin, D., Ma, Y., Chen, S., He, H., and Yang, J. (2024). LinkGuard: Link Flooding Attack Detection and Mitigation via Spatio-Temporal Graph Convolutional Network. IEEE Transactions on Network Science and Engineering, 11(5):4059–4075. Conference Name: IEEE Transactions on Network Science and Engineering.
Claise, B. (2004). Cisco Systems NetFlow Services Export Version 9. RFC 3954.
Da Silva Ruffo, V. G., Carvalho, L. F., Lloret, J., and Proenca, M. L. (2024). Unsupervised DDoS Detection Using Entropy Features and f-AnoGAN in Software-Defined Networks. In 2024 11th International Conference on Software Defined Systems (SDS), pages 35–41, Gran Canaria, Spain. IEEE.
Goldschmidt, P. and Kučera, J. (2024). Windower: Feature Extraction for Real-Time DDoS Detection Using Machine Learning. In Proceedings of IEEE/IFIP Network Operations and Management Symposium 2024, NOMS 2024. Institute of Electrical and Electronics Engineers Inc.
Haag, P. (2025). nfdump: Network flow data dump. Accessed: 2025-10-11.
Haseeb ur Rehman, R. M. A., Aman, A. H. M., Hasan, M. K., Ariffin, K. A. Z., Namoun, A., Tufail, A., and Kim, K.-H. (2023). High-speed network ddos attack detection: A survey. Sensors, 23(15):6850.
Hiesgen, R., Nawrocki, M., Barcellos, M., Kopp, D., Hohlfeld, O., Chan, E., Dobbins, R., Doerr, C., Rossow, C., Thomas, D. R., Jonker, M., Mok, R., Luo, X., Kristoff, J., Schmidt, T. C., Wählisch, M., and Claffy, K. (2024). The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS Assessments. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC, pages 259–279. Association for Computing Machinery.
Kamaldeep, Malik, M., and Dutta, M. (2023). Feature Engineering and Machine Learning Framework for DDoS Attack Detection in the Standardized Internet of Things. IEEE Internet of Things Journal, 10(10):8658–8669.
Komadina, A., Martinić, M., Groš, S., and Mihajlović, Ž. (2024). Comparing Threshold Selection Methods for Network Anomaly Detection. IEEE Access, 12:124943–124973.
Koumar, J., Hynek, K., Čejka, T., and Šiška, P. (2025a). CESNET-TimeSeries24: Time Series Dataset for Network Traffic Anomaly Detection and Forecasting. Scientific Data, 12(1):338. Publisher: Nature Publishing Group.
Koumar, J., Pesek, J., Jerabek, K., and Cejka, T. (2025b). Towards Building Network Outlier Detection System for Network Traffic Monitoring. In Proceedings of IEEE/IFIP Network Operations and Management Symposium 2025, NOMS 2025. Institute of Electrical and Electronics Engineers Inc.
Koumar, J., Pesek, J., Jerabek, K., and Čejka, T. (2025c). Towards Building Network Outlier Detection System for Network Traffic Monitoring. In NOMS 2025-2025 IEEE Network Operations and Management Symposium, pages 1–6, Honolulu, HI, USA. IEEE.
Latif, H., Suárez-Varela, J., Cabellos-Aparicio, A., and Barlet-Ros, P. (2023). Detecting Contextual Network Anomalies with Graph Neural Networks. In Proceedings of the 2nd on Graph Neural Networking Workshop 2023, GNNet ’23, pages 25–30, New York, NY, USA. Association for Computing Machinery.
McDermott, M. B. A., Zhang, H., Hansen, L. H., Angelotti, G., and Gallifant, J. (2025). A Closer Look at AUROC and AUPRC under Class Imbalance. arXiv:2401.06091 [cs].
Meyer, B. H., Pozo, A. T. R., Nogueira, M., and Zola, W. M. N. (2025). Enhancing Intrusion Detection Systems with representation methods: A comparative study. In 2025 IEEE Symposium on Computational Intelligence in Security, Defence and Biometrics (CISDB), pages 1–7.
Paolini, D., Dini, P., Soldaini, E., and Saponara, S. (2025). One-Class Anomaly Detection for Industrial Applications: A Comparative Survey and Experimental Study. Computers, 14(7).
Ring, M., Wunderlich, S., Scheuring, D., Landes, D., and Hotho, A. (2019). A survey of network-based intrusion detection data sets.
Salahuddin, M. A., Pourahmadi, V., Alameddine, H. A., Bari, M. F., and Boutaba, R. (2022). Chronos: DDoS Attack Detection Using Time-Based Autoencoder. IEEE Transactions on Network and Service Management, 19(1):627–641.
Smith, J. M. and Schuchard, M. (2018). Routing around congestion: Defeating ddos attacks and adverse network conditions via reactive bgp routing. In 2018 IEEE Symposium on Security and Privacy (SP), pages 599–617.
Sriram, K. and Montgomery, D. (2019). Resilient interdomain traffic exchange: BGP security and DDos mitigation. Technical Report NIST SP 800-189, National Institute of Standards and Technology, Gaithersburg, MD.
Tran, M., Kang, M. S., Hsiao, H.-C., Chiang, W.-H., Tung, S.-P., and Wang, Y.-S. (2019). On the Feasibility of Rerouting-Based DDoS Defenses. In On the Feasibility of Rerouting-Based DDoS Defenses, pages 1169–1184. IEEE Computer Society.
Venceslau, F., Souza, R., Silva, F., and Monteiro, J. (2025). Correlação híbrida baseada em stacking para detecção de anomalias em redes de computadores. In Anais do XXV Simpósio Brasileiro de Cibersegurança, pages 1003–1010, Porto Alegre, RS, Brasil.
Cheng, S., Jin, D., Ma, Y., Chen, S., He, H., and Yang, J. (2024). LinkGuard: Link Flooding Attack Detection and Mitigation via Spatio-Temporal Graph Convolutional Network. IEEE Transactions on Network Science and Engineering, 11(5):4059–4075. Conference Name: IEEE Transactions on Network Science and Engineering.
Claise, B. (2004). Cisco Systems NetFlow Services Export Version 9. RFC 3954.
Da Silva Ruffo, V. G., Carvalho, L. F., Lloret, J., and Proenca, M. L. (2024). Unsupervised DDoS Detection Using Entropy Features and f-AnoGAN in Software-Defined Networks. In 2024 11th International Conference on Software Defined Systems (SDS), pages 35–41, Gran Canaria, Spain. IEEE.
Goldschmidt, P. and Kučera, J. (2024). Windower: Feature Extraction for Real-Time DDoS Detection Using Machine Learning. In Proceedings of IEEE/IFIP Network Operations and Management Symposium 2024, NOMS 2024. Institute of Electrical and Electronics Engineers Inc.
Haag, P. (2025). nfdump: Network flow data dump. Accessed: 2025-10-11.
Haseeb ur Rehman, R. M. A., Aman, A. H. M., Hasan, M. K., Ariffin, K. A. Z., Namoun, A., Tufail, A., and Kim, K.-H. (2023). High-speed network ddos attack detection: A survey. Sensors, 23(15):6850.
Hiesgen, R., Nawrocki, M., Barcellos, M., Kopp, D., Hohlfeld, O., Chan, E., Dobbins, R., Doerr, C., Rossow, C., Thomas, D. R., Jonker, M., Mok, R., Luo, X., Kristoff, J., Schmidt, T. C., Wählisch, M., and Claffy, K. (2024). The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS Assessments. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC, pages 259–279. Association for Computing Machinery.
Kamaldeep, Malik, M., and Dutta, M. (2023). Feature Engineering and Machine Learning Framework for DDoS Attack Detection in the Standardized Internet of Things. IEEE Internet of Things Journal, 10(10):8658–8669.
Komadina, A., Martinić, M., Groš, S., and Mihajlović, Ž. (2024). Comparing Threshold Selection Methods for Network Anomaly Detection. IEEE Access, 12:124943–124973.
Koumar, J., Hynek, K., Čejka, T., and Šiška, P. (2025a). CESNET-TimeSeries24: Time Series Dataset for Network Traffic Anomaly Detection and Forecasting. Scientific Data, 12(1):338. Publisher: Nature Publishing Group.
Koumar, J., Pesek, J., Jerabek, K., and Cejka, T. (2025b). Towards Building Network Outlier Detection System for Network Traffic Monitoring. In Proceedings of IEEE/IFIP Network Operations and Management Symposium 2025, NOMS 2025. Institute of Electrical and Electronics Engineers Inc.
Koumar, J., Pesek, J., Jerabek, K., and Čejka, T. (2025c). Towards Building Network Outlier Detection System for Network Traffic Monitoring. In NOMS 2025-2025 IEEE Network Operations and Management Symposium, pages 1–6, Honolulu, HI, USA. IEEE.
Latif, H., Suárez-Varela, J., Cabellos-Aparicio, A., and Barlet-Ros, P. (2023). Detecting Contextual Network Anomalies with Graph Neural Networks. In Proceedings of the 2nd on Graph Neural Networking Workshop 2023, GNNet ’23, pages 25–30, New York, NY, USA. Association for Computing Machinery.
McDermott, M. B. A., Zhang, H., Hansen, L. H., Angelotti, G., and Gallifant, J. (2025). A Closer Look at AUROC and AUPRC under Class Imbalance. arXiv:2401.06091 [cs].
Meyer, B. H., Pozo, A. T. R., Nogueira, M., and Zola, W. M. N. (2025). Enhancing Intrusion Detection Systems with representation methods: A comparative study. In 2025 IEEE Symposium on Computational Intelligence in Security, Defence and Biometrics (CISDB), pages 1–7.
Paolini, D., Dini, P., Soldaini, E., and Saponara, S. (2025). One-Class Anomaly Detection for Industrial Applications: A Comparative Survey and Experimental Study. Computers, 14(7).
Ring, M., Wunderlich, S., Scheuring, D., Landes, D., and Hotho, A. (2019). A survey of network-based intrusion detection data sets.
Salahuddin, M. A., Pourahmadi, V., Alameddine, H. A., Bari, M. F., and Boutaba, R. (2022). Chronos: DDoS Attack Detection Using Time-Based Autoencoder. IEEE Transactions on Network and Service Management, 19(1):627–641.
Smith, J. M. and Schuchard, M. (2018). Routing around congestion: Defeating ddos attacks and adverse network conditions via reactive bgp routing. In 2018 IEEE Symposium on Security and Privacy (SP), pages 599–617.
Sriram, K. and Montgomery, D. (2019). Resilient interdomain traffic exchange: BGP security and DDos mitigation. Technical Report NIST SP 800-189, National Institute of Standards and Technology, Gaithersburg, MD.
Tran, M., Kang, M. S., Hsiao, H.-C., Chiang, W.-H., Tung, S.-P., and Wang, Y.-S. (2019). On the Feasibility of Rerouting-Based DDoS Defenses. In On the Feasibility of Rerouting-Based DDoS Defenses, pages 1169–1184. IEEE Computer Society.
Venceslau, F., Souza, R., Silva, F., and Monteiro, J. (2025). Correlação híbrida baseada em stacking para detecção de anomalias em redes de computadores. In Anais do XXV Simpósio Brasileiro de Cibersegurança, pages 1003–1010, Porto Alegre, RS, Brasil.
Publicado
25/05/2026
Como Citar
CHIANFA, Murilo A.; MIANI, Rodrigo S.; ZARPELÃO, Bruno B..
Unsupervised DDoS Detection in High-Speed Networks: An Evaluation Using Real Transit Provider Data. In: SIMPÓSIO BRASILEIRO DE REDES DE COMPUTADORES E SISTEMAS DISTRIBUÍDOS (SBRC), 44. , 2026, Praia do Forte/BA.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2026
.
p. 1485-1498.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2026.19291.
