Real-time DDoS Detection using

Machine Learning

Presented by Group 9
 INTRODUCTION

DDoS (Distributed Denial-of-Service) attacks flood

networks with fake traffic, making online services
unavailable. These attacks are becoming increasingly
sophisticated, affecting financial institutions, government
infrastructure, and enterprises. The objective of this
project is to develop a machine learning-based detection
system that provides real-time protection with minimal
latency.
 PROBLEM STATEMENT

Traditional rule-based security systems, such as Snort and

Suricata, struggle against evolving attack patterns. Attack
traffic often disguises itself as legitimate, making detection
more challenging. One of the major issues is the extreme
class imbalance, where attack traffic constitutes a very
small fraction of total network activity. There is a need for
an adaptive system capable of evolving with emerging
threats.
 PROPOSED SOLUTION

Our approach leverages a hybrid machine learning model

that combines supervised learning with real-time anomaly
detection. By implementing XGBoost and LSTM, the
system can recognize both known and novel attack
vectors. It is designed to be deployed as a REST API or
integrated into Apache Kafka for large-scale traffic
monitoring and analysis.
 DATA COLLECTION

To train the model effectively, we collected attack traffic

using tools such as hping3, LOIC (Low Orbit Ion Cannon),
and Slowloris. For benign traffic, we utilized real-world
datasets from MAWI, CICIDS2017, and Kaggle's DDoS
dataset. Feature engineering focused on extracting
statistical and temporal features, including packet rate
variance, entropy of source IPs, and protocol-specific
distributions.
 HANDLING CLASS IMBALANCE

Since attack traffic is rare, comprising only about 1% of total data, models
tend to be biased toward benign traffic.

Solutions Implemented:
● Applied SMOTE (Synthetic Minority Oversampling Technique) to
generate synthetic attack samples and balance the dataset.
● Implemented class-weighted optimization to assign higher
importance to minority attack samples, thereby reducing false
negatives.
 MODEL TRAINING & EVALUATION

We employed XGBoost, a gradient boosting algorithm, and LSTM, a deep

learning model for sequential data. Model performance was assessed using
precision, recall, and F1-score, achieving values above 95%.

The system demonstrated detection latency between 10 to 50

milliseconds per packet, making it suitable for real-time deployment.
 REAL-TIME DEPLOYMENT

Our system captures live network traffic using libpcap and

processes it through Apache Kafka for efficient high-
throughput streaming. Once detected, attacks trigger
automated mitigation strategies such as IP blacklisting,
dynamic rate-limiting, and BGP rerouting to prevent
network degradation.
 PERFORMANCE COMPARISON

Model Precision Recall F1-Score Latency

XGBoost 96% 95% 95.5% 18ms

LSTM 97% 94% 95% 22ms

SVM 89% 82% 85% 12ms

Snort 78% 67% 72% 8ms

(Signature-
based)
 LIMITATIONS & FUTURE WORK

Despite its high performance, the system faces challenges in

handling new, previously unseen attack types, particularly
zero-day DDoS attacks. Another challenge is managing real-
time class imbalance in live traffic. Future enhancements
include continuous learning by updating models with new
attack patterns, cloud scalability using Kubernetes for auto-
scaling, and hybrid anomaly detection through deep learning
autoencoders to detect unknown attack vectors.
 CONCLUSION

Machine learning-powered DDoS detection significantly

improves response time and accuracy compared to
traditional methods. By combining multiple detection
techniques, our approach achieves a balance between
efficiency and effectiveness in real-time network protection.
Moving forward, further research and development will focus
on improving adaptability, automating response
mechanisms, and scaling detection for enterprise-level
deployments.