Skip to content
BY 4.0 license Open Access Published by De Gruyter January 12, 2023

Deep learning in distributed denial-of-service attacks detection method for Internet of Things networks

  • Firas Mohammed Aswad , Ali Mohammed Saleh Ahmed , Nafea Ali Majeed Alhammadi , Bashar Ahmad Khalaf and Salama A. Mostafa EMAIL logo


With the rapid growth of informatics systems’ technology in this modern age, the Internet of Things (IoT) has become more valuable and vital to everyday life in many ways. IoT applications are now more popular than they used to be due to the availability of many gadgets that work as IoT enablers, including smartwatches, smartphones, security cameras, and smart sensors. However, the insecure nature of IoT devices has led to several difficulties, one of which is distributed denial-of-service (DDoS) attacks. IoT systems have several security limitations due to their disreputability characteristics, like dynamic communication between IoT devices. The dynamic communications resulted from the limited resources of these devices, such as their data storage and processing units. Recently, many attempts have been made to develop intelligent models to protect IoT networks against DDoS attacks. The main ongoing research issue is developing a model capable of protecting the network from DDoS attacks that is sensitive to various classes of DDoS and can recognize legitimate traffic to avoid false alarms. Subsequently, this study proposes combining three deep learning algorithms, namely recurrent neural network (RNN), long short-term memory (LSTM)-RNN, and convolutional neural network (CNN), to build a bidirectional CNN-BiLSTM DDoS detection model. The RNN, CNN, LSTM, and CNN-BiLSTM are implemented and tested to determine the most effective model against DDoS attacks that can accurately detect and distinguish DDoS from legitimate traffic. The intrusion detection evaluation dataset (CICIDS2017) is used to provide more realistic detection. The CICIDS2017 dataset includes benign and up-to-date examples of typical attacks, closely matching real-world data of Packet Capture. The four models are tested and assessed using Confusion Metrix against four commonly used criteria: accuracy, precision, recall, and F-measure. The performance of the models is quite effective as they obtain an accuracy rate of around 99.00%, except for the CNN model, which achieves an accuracy of 98.82%. The CNN-BiLSTM achieves the best accuracy of 99.76% and precision of 98.90%.

1 Introduction

Distributed denial-of-service (DDoS) attacks have been around for a while and have affected many systems. It started as a denial-of-service assault, in which the hacker utilized a single device to launch the attack. The first major DDoS attack was reported in 2000, when a high school student named “Michael Calce” took down major websites such as, Yahoo,,, CNN, and Dell. Considering that Yahoo was the most widely used search engine at the time [1]. On the other hand, DDoS is when an attacker uses multiple devices to perform the attack, which is more severe than the previous one and much more complicated to detect. A new incident happened to Dyn company. The episodes of attacks that early research indicates may have reached 1.2 tbps, almost twice the amount of the flow volume of Krebs, and appear to have had a substantial impact on reducing the Dyn domain name system (DNS) service. Major names including Twitter, Amazon, Airbnb, Spotify, GitHub, and others were essentially knocked down when the DDoS assault disabled DYN’s DNS anycast server. The attack began on 21 October 2016 and came into action instantly. For a short period, Dyn regained control, but a second attack retook several hours. A few days later, in a statement, Dyn verified what had previously been widely rumored: “We can confirm that a substantial number of attacks have originated in Mirai-based botnets” [2]. We are likely to see more of this occurring in the future since Mirai’s source code has been published. Someone named “Anna-senpai” released the code on the Hack forums website, claiming that she/he had previously been capable of creating botnets as large as 380,000 devices solely through the use of telnet connections, but that this was becoming more difficult due to increased scrutiny by the security community. “ISPs have progressively shut down and cleaned up their actions after Kreb [sic] DDoS. Today, the maximum draw is about 300,000 bots and is decreasing” [3].

The Internet of Things (IoT) is a term that refers to a developing network of physical things that are linked to the Internet. It enables the transition of Internet-connected devices into a connected ecosystem with digital data available from any location and at any time. IoT devices are physical items ranging in size from small to colossal equipment that interact with one another without human involvement through the Internet [4]. Cisco estimates that 50 billion devices are now linked to the Internet [5]. Figure 1 illustrates many instances of IoT devices. These devices are fundamentally resource-restricted; they have a finite amount of memory, limited processing capacity, and limited computing power. Numerous supporting technologies, including wireless sensor networks, radio frequency identification, and cloud computing, have evolved as critical components of the IoT paradigm’s development.

Figure 1 
               IoT device examples [3].
Figure 1

IoT device examples [3].

DDoS attacks come in a variety of shapes and sizes. These attacks are handy and use the same methods as DoS attacks, but on a much bigger scale and a much more sophisticated nature, making protection impossible and leaving behind severe and excruciating consequences to informatics systems and networks [6,7]. Thousands of hacked devices are remotely controlled and are used to assault and immobilize the victim. Figure 2 shows the structure that DDoS takes. The exploited IoT devices are turned into slaves that assess the hacker to form an army-like that sends false requests to a targeted victim, resulting in a complete shutdown. As illustrated in the figure, DDoS can be used in various ways. Any computer connected to the Internet presents an attractive opportunity for compromise, transforming them into zombies without the owner’s knowledge. Zombies assist in DDoS attacks via backdoors, worms, and Trojan horses. By sending them via email, storing them on vulnerable websites, or in the form of advertisements, they can even inject a picture and hide the Trojan in the pixels so that it appears to be a typical picture when opened [8]. Once opened, the software, which is primarily written in JavaScript, will download payloads onto the user’s undetected devices.

Figure 2 
               The structure of the DDoS attack [7].
Figure 2

The structure of the DDoS attack [7].

The term “deep learning classification” refers to the problem associated with predictive modeling when a class label is anticipated for a given input data sample. Classification categorizes observed data into a predetermined number of groups [9]. The primary objective of a classification task is to determine which class new data will belong to. Classification algorithms try to determine the mapping function (f) from input variables (x) for discrete or categorical output variables (y) [10]. In this case, (y) denotes the anticipated category indicated by the mapping function. For example, the classification algorithm can forecast if the price will be higher or lower than the item price when selling a vehicle. A continuous value for classification models and output classes should often be projected as the likelihood of a specific occurrence. Probabilities may be thought of as the probability or confidence associated with a particular instance of each class. Selecting the most likelihood class mark may convert a projected probability to a class value [11].

The implications of DDoS assaults are undoubtedly severe and will only continue to worsen as the number of IoT devices and their software systems grows. Even though many solutions have been developed to identify and prevent this assault, which is mainly targeted at IoT devices, the danger continues to exist and is now more significant than ever [8,9]. An excellent example of this is using a machine learning pipeline, which collects traffic and determines whether it is a benign or malicious assault [12,13].

The purpose of this study is to utilize deep learning as a way to manage DDoS assaults using four algorithms: the recurrent neural network (RNN), the long short-term memory-RNN (LSTM-RNN), the convolutional neural network (CNN), and the CNN-bidirectional LSTM (CNN-BiLSTM). Based on their performance, a comparison between the four algorithms will be conducted using a confusion matrix.

2 Related work

Many research efforts have been made to mitigate the threat of DDoS assaults in the past. Some of these studies and attempts are genuine, while others are outdated. These characteristics are consistent with the nature of today’s DDoS botnets. There are many different types of DDoS malware, some of which regularly develop, making them almost impossible to detect. Some DDoS malware may hibernate on compromised devices without creating issues, giving the impression that nothing unusual is happening until the hacker launches the attack. Deep learning has developed new methods and strategies for dealing with DDoS and other problems [4,10]. This section presents some of the most recent and effective work for DDoS detection in the IoT environment.

The research of [14] has provided a software-defined networking-based classification using three models, namely, a gated RNN “as their primary model,” and compared it with VanilaRNN, support vector machine (SVM), and deep neural network (DNN) for the NSL-KDD dataset, and compared the proposed model with DNN, SVM, and naïve bayes (NB) trees using the intrusion detection evaluation dataset (CICIDS2017). This research introduces a mitigator or filter; the filter shall receive the traffic before it reaches the software-defined networking (SDN) switch as an SDN controller, consisting of three naib parts: flow collector, anomaly detector, and anomaly mitigator. The interface gated recurrent units-RNN (GRU-RNN) has achieved an accuracy of 0.89 utilizing the NSL-KDD dataset and 0.99 using CICIDS2017.

The research of ref. [15] implemented two deep learning models in the CICDDoS2019 dataset. The models are DNN and LSTM, introducing more refined data by using feature selection, leaving them with three labels to distinguish the data from “UDP, SYN, and UPD-lag. Each on hold a dataset with two labels “standard and the type of the attack. It would appear that the average accuracy obtained by both models was somewhat comparable as it amounted to 0.999 when run in a batch size of 32 and 10 epochs for all experiments.

The research of ref. [16] has experimented with just LSTM in the CICIDS2017 dataset. However, the main goal is to determine which tuning is best to get the most accuracy. They tried different hyperparameters, such as activation function, loss function, optimizer, etc., and a different number of LSTM layers. Their experiment used from one layer to six layers, abbreviated as L1–L6. As observed from the results of this study, the optimal hyperparameter tuning that achieved the highest accuracy is in Table 1.

Table 1

Optimal hyperparameter tuning based on [16]

Parameter Name of parameter Accuracy obtained
LSTM layers L5 0.9909
Optimizer RMSprop 0.9908
Activation function Tanh 0.9908
Loss function Kullback-Leibler divergence 0.9887

The research of ref. [17] presents a deep learning algorithm in which they merged RNN with CNN as a hybrid detection system. The study used the realistic cyber defense dataset (CSE-CIC-IDS2018) dataset and three more algorithms, namely, Logistic Regression, Extreme Gradient Boosting, and Decision Tree, to be compared with the newly introduced hybrid convolutional recurrent neural network-based network intrusion detection system based on their performance. All models have the same building structure with tenfold cross-validation. Their combination outdid the other models, which yielded an accuracy of 0.97 compared to other models, of which the highest was decision tree (DT) with an accuracy of 0.88. In the research of [18], the author used a set of deep and machine learning algorithms to detect anomalies in IoT devices using the CICIDS2017 dataset. The used models are deep convolutional neural networks (DCNN), multi-layer perceptron (MLP), LSTM, CNN + LSTM, SVM, NB, and random forest (RF). Table 2 summarizes the deep learning models and their corresponding results in the related work.

Table 2

The related work results that used either the same dataset or the same deep learning models

Ref. Dataset Models Accuracy Precision Recall F1-score
[14] NSL-KDD VanilaRNN 0.4439 0.9100 0.9000 0.9000
SVM 0.6567
DNN 0.7590
GRU-RNN 0.8900
CICIDS2017 SVM 0.6952
DNN 0.7575 0.9700 0.9700 0.9700
NB trees 0.8202
GRU-RNN 0.9900 0.9900 0.9900 0.9900
[15] CICDDoS2019 Syn DNN 0.9995 0.9998 0.9997 0.9997
Upd 0.9995 0.9995 1.000 0.9997
Upd-lag 0.9993 0.9994 0.9997 0.9995
Syn LSTM 0.9997 0.9997 0.9998 0.9998
Upd 0.9996 0.9996 1.0000 0.9998
Upd-lag 0.9990 0.9989 1.0000 0.9994
[16] CICIDS2017 LSTM 0.9954 0.9340 0.9475
[17] CSE-CIC-DS2018 HCRNN 0.9700 0.9633 0.9712 0.9760
Linear regression 0.8000 0.7810 0.8010 0.7910
DT 0.8800 0.8733 0.8850 0.8790
XGBoost 0.8900 0.8450 0.8340 0.8390
[18] CICIDS2017 DCNN 0.9514 0.9814 0.9017
MLP 0.8643 0.8847 0.8625
LSTM 0.9624 0.9844 0.8989
CNN + LSTM 0.9716 0.9741 0.9910
SVM 0.9550 0.9772 0.9912
NB 0.9519 0.9256 0.9284
RF 0.9464 0.9018 0.9089

Recent attempts to develop intelligent models to protect IoT networks against DDoS attacks have achieved noticeable success. However, developing a model capable of protecting the network from various types of DDoS attacks without affecting legitimate traffic represents the main research gap. In addition, testing these models in real-world environments for such types is challenging. As presented in Table 2, different datasets such as NSL-KDD, CICIDS2017, CSE-CIC-DS2018, and CICDDoS2019 are prepared for testing the DDoS defense models. The proposed defense models use machine learning and deep learning algorithms. The results show that, mainly, deep learning-based methods achieve better performance than machine learning-based methods, especially for well-known attacks, e.g., LSTM achieves an accuracy of 99.96% in the CICDDoS2019 dataset, and CNN + LSTM achieves an accuracy of 97.16% in the CICIDS2017 dataset. Nevertheless, new types of attacks represent a critical challenge for both approaches.

3 Methodology

We used three deep learning algorithms, namely CNN, RNN, and LSTM, to develop a CNN-BiLSTM model. The description of the RNN, LSTM, and CNN is provided in the following subsections. The flow of the experiment is shown in Figure 3. We prepared the data by applying various data checking and filtering processes in the first stage. First, we found that the dataset has many NaN and infinite values, so we replaced them with the mean. In that manner, the labels are encoded using Label_Encoder. Then, the data is split using a train-test with 67 and 33%, respectively, and a random state of 44. In the following stage, before feeding the data to the models for processing, the data is reshaped to match each model accordingly. Finally, the model performance evaluation result is obtained based on the confusion matrix, accuracy, precision, recall, and F-measure.

Figure 3 
               The experiment flow.
Figure 3

The experiment flow.

3.1 Dataset

The CICIDS2017 dataset includes benign and up-to-date examples of typical attacks, closely matching real-world data (Packet Capture, PCAPs). In addition, it contains the results of a network traffic analysis performed through CICFlowMeter, featuring flows labeled according to the time stamp, source and destination IP addresses, source and destination ports, protocols, and attack [13]. An overview of the dataset includes several types of DDoS attacks. They generated different attack datasets on Friday, 7 July 2017. BoT ARES is included in the Morning dataset. The Afternoon dataset is made up of independent port scans and DDoS assaults. The dataset’s structure used in this research combined both datasets of “Friday-Working Hours-Afternoon” and “Wednesday-Working Hours” into one dataset holding a shape of 478406,79. The features are 78, and an addition of a class label. There are six class labels: DDoS, Benign, DoS GoldenEye, DoS Hulk, DoS slowhttptest, and DoS slow loris. The CICIDS2017 dataset provides a more realistic detection of DDoS attacks. The CICIDS2017 dataset includes up-to-date examples of typical attacks, closely matching real-world data of PCAPs. Hence, it is extensively utilized to detect network attacks, including DDoS attacks [19].

3.2 Deep learning algorithms

The structure of each model is pretty much the same, with some minor changes to the models when necessary. Table 3 shows the shared parameters.

Table 3

Shared parameters

Batch size Input shape Learning rate Epsilon Optimizer Epochs Loss function Verbose Activation
1,024 1, 76 0.001 1 × 10−7 RMSprop 100 Sparse categorical cross-entropy 1 Sigmoid, Relu

RNN: RNN is a neural network in which the output of previous phases is used as an input. In a typical neural network, all inputs and outputs are independent. Still, preliminary words are required for tasks such as predicting the following expression of a phrase, which results in the recall of the last comments. The problem was then resolved using an RNN through a concealed layer [20]. The basic structure of the RNN used in this research is shown in Figure 4.

Figure 4 
                  The RNN structure.
Figure 4

The RNN structure.

The hidden state, which retains specific sequence data, is the RNN’s primary and essential component. In this research, we used a simple RNN. Thus, even this very basic design is robust from a symbolic standpoint. However, representative capacity is not the only issue in practice. It is critical to emphasize that these impressive findings on representation in no way imply that we can learn such pictures from data in an acceptable period [21]. The results obtained with the model can very much support that claim. RNN utilizes hidden layers and is best represented by the following equation:

(1) h t = σ ( Wx t + Uh t 1 + b h ) , t = 1 , 2 , 3 , , T ,

where h t is the hidden state, t is the time step, σ is the activation function of the hidden layer, x is the input, W is the weight, and b is the bias.

CNN: CNNs are based on neural networks that are constructed on the foundation of neural networks. Anatomy of CNN’s layers: convolutional, pooling, and fully connected. This layer is just a neural network as previously covered. The CNN also includes two important components: the activation function and the dropout layer. The CNN algorithm performs two main processes on convolutional and max-pooling layers: convolution and sampling [22,23]. Figure 5 shows the basic CNN architecture.

Figure 5 
                  The CNN structure.
Figure 5

The CNN structure.

Each neuron gets information from the xnx kernels part of the previous layer, known as the local receptive field [22].

(2) x i , j ( l ) = σ b + r = 0 n c = 0 n w r , c x i + r , j + c ( j 1 ) ,

where x i , j is the current output, σ is the activation function of the hidden layer, c is the input, w is the weight, and b is the bias.

LSTM: Hochreiter and Schmidhuber were the first to suggest LSTM as a special type of RNN [23]. The LSTM standard architecture has an input layer, a recurring LSTM layer, and an output layer. The input layer is linked to the layer LSTM. Formula (3) represents the LSTM-RNN first layer’s decision-making function f t . The decision is related to using or discarding the provided data, h t 1 , from the previous cell’s processed output as follows:

(3) f t = σ ( w f × [ h t 1 , x t ] + b f ,

where h t 1 is the data provided by the previous process, t is the time step, σ is the sigmoid function of the hidden layer, x is the input, w is the weight, and b is the bias.

Recurring LSTM connections are directly connected from cell output units to cell input units, input gates, output gates, and gates. The cell output units are also linked to the network output layer [24]. The following formula can calculate the total number of N parameters in the typical LSTM network with one cell in each memory block (without taking account of the distortions) [25]. Figure 6 shows the executed layers of the LSTM model.

Figure 6 
                  The LSTM structure.
Figure 6

The LSTM structure.

CNN-BiLSTM: In this model, we used the two powerful RNN and CNN algorithms and merged them into CNN-BiLSTM. Initially, it was suggested to remove the RNN restrictions. The idea is to split the state neurons of a normal RNN into two parts: one for the positive time (front) and one for the negative time (reverse) (backward states) [23]. Foreign state outputs are not linked to reverse state inputs, and vice versa. This results in the general structure of the BiLSTM shown in Figure 7, which has three stages, as suggested by ref. [26].

Figure 7 
                  The BiLSTM architecture [23].
Figure 7

The BiLSTM architecture [23].

The introduced CNN-BiLSTM model is presented in Figure 8. The convolutional layer creates features from the input data. The dropout layer randomly drops out nodes during training. This layer helps to regulate the training process, improve generalization error, and reduce overfitting causes. The CNN then applies the Maxpooling layers to reduce the spatial resolution of the features [22]. Adding the CNN for extracting critical patterns and producing high-quality features. Then, the BiLSTM functions forward and backward and can detect backward patterns [23].

Figure 8 
                  The CNN-BiLSTM structure.
Figure 8

The CNN-BiLSTM structure.

3.3 Evaluation

The performance of the classifiers was evaluated using a confusion matrix and the four most commonly used evaluation metrics, namely, accuracy, F-measure, recall, and precision [27]. The evaluation metrics are measured based on the calculations of True Positive (TP), False Positive (FP), True Negative (TN), and False Negative (FN) notions [28]. They are further explained as follows:

Accuracy: The proportion of correct forecasts from the total number of forecasts.

(4) Accuracy = TP + TN TP + TN + FB + FN .

Recall: It is also known as sensitivity, a proportion of the total number of instances found.

(5) Recall = TP TP + FN .

Precision: It means how precise the model was in predicting and classifying the data and is represented as follows:

(6) Precision , p = TP TP + FB .

F 1-score: The term F1-score is self-explanatory. It indicates the classifier’s precision regarding the number of successfully classified examples and their robustness as follows:

(7) F 1 - score = ( 2 × precision × recall ) ÷ ( precison + recall ) .

4 Results and discussion

In this work, the proposed CNN-BiLSTM model is used to detect DDoS attacks in IoT networks. Three additional models, LSTM, RNN, and CNN, are tested to verify the performance of the proposed CNN-BiLSTM model. These models have been implemented in the Python programming language under the Kaggle data science online system. The CICIDS2017 dataset is used for training and testing the four models. The confusion matrix, accuracy, precision, recall, and F-measure have been implemented to assess the performance of the models. Table 4 and Figure 9 give an overview of how each classification model performed.

Table 4

The classifiers’ results

Model Accuracy Error Precision Recall f-1 score
RNN 0.9958 0.01770 0.9870 0.9830 0.9850
CNN-BiLSTM 0.9976 0.01370 0.9890 0.9920 0.9910
LSTM 0.9973 0.01050 0.9110 0.9350 0.9100
CNN 0.9882 0.03580 0.9770 0.9830 0.9800
Figure 9 
               The comparison between the four classification models.
Figure 9

The comparison between the four classification models.

It is to be observed by looking at Figure 9 that the CNN-BiLSTM has outperformed all other classifiers. Both CNN and RNN are strong as individuals, as demonstrated by the results in Table 4. The combination of them indeed made a noticeable difference. The CNN as an individual has shown the lowest accuracy, but it obtains high precision and maintains a low error rate. The confusion matrix of each classifier obtained from the algorithm outputs is presented in Figure 10.

Figure 10 
               The confusion matrixes of the four deep learning models. (a) The RNN heatmap. (b) The CNN-BiLSTM heatmap. (c) The LSTM heatmap. (d) The CNN heatmap.
Figure 10

The confusion matrixes of the four deep learning models. (a) The RNN heatmap. (b) The CNN-BiLSTM heatmap. (c) The LSTM heatmap. (d) The CNN heatmap.

The main aim of this study is to combine three deep learning algorithms RNN, CNN, and LSTM in a CNN-BiLSTM hybrid model. Then, test the four deep learning algorithms and compare their performance in terms of detecting DDoS attacks in an IoT environment. With an accuracy of 99.76%, the hybrid CNN-BiLSTM model outperforms the rest of the deep learning models and machine learning. The CNN deep learning model is the least performant in terms of accuracy based on the dataset utilized. Except for CNN, the accuracy of the other three deep learning techniques, LSTM, RNN, and CNN-BiLSTM, is more than 99.50%, which outperforms most of the reviewed methods in Table 2, including deep learning and machine learning algorithms.

5 Conclusion and future work

The DDoS assaults constitute a danger to everyone on the Internet and are challenging to identify because of the attackers’ spoofing technology. Based on DDoS history, the recognized Mirai and Bashlite botnets will not be the final and most potent botnets since they are able to overcome the traditional DDoS detection and mitigation techniques, such as adding more bandwidth or traffic extraction. Cyberattacks endanger IoT networks that are still inherently vulnerable and need substantial resistance abilities. This article presents a proposed CNN-BiLSTM hybrid model that takes the advantages of CNN, RNN, LSTM, and BiLSTM and joins them into one model. The CNN-BiLSTM model provides an average accuracy of 99.76%, which shows that DDoS assaults can be handled efficiently by the CNN-BiLSTM deep learning model. Moreover, the CNN-BiLSTM model has shown the most satisfactory results in all metrics as compared with CNN, LSTM, and RNN. Nevertheless, the findings acquired from the other three classifiers must not be overlooked since they achieve an average accuracy of 99.16%. This study extensively examined IoT network construction and provided several potential causes for its insecure nature. It also demonstrated prior research and addressed the gaps in it and the nature of DDoS assaults. The study proposed the CNN-BiLSTM model for DDoS detection, and the results show that the CNN-BiLSTM model surpasses other tested models. This result indicates the ability of the model to perform in real-world IoT network systems. The main limitation of this work is the testing reliability due to the unavailability of a realistic testing platform. Future work will focus on instigating the bottleneck of IoT network systems related to the vulnerability to DDoS attacks.


We would like to express our heartfelt gratitude to the people in the Computer Department, the College of Education for Pure Sciences, the College of Basic Education at the University of Diyala, and the Department of Computer Sciences at the Shatt Al-Arab University College for their support of this research. In addition, the authors would like to thank the Center of Intelligent and Autonomous Systems, Faculty of Computer Science and Information Technology, University Tun Hussein Onn Malaysia (UTHM), for supporting this work.

  1. Funding information: Communication of this research is made possible through monetary assistance from the Universiti Tun Hussein Onn Malaysia and the UTHM Publisher’s Office via Publication Fund E15216.

  2. Conflict of interest: The authors have no conflicts of interest to declare. The authors certify that the submission is an original work and is not under review at any other publication. All authors have seen and agree with the manuscript’s contents, and there is no financial interest to report.

  3. Data availability statement: The dataset used for this research is available online and has a proper citation within the article’s contents.


[1] Hersher R. Meet Mafiaboy, The ‘bratty kid’ who took down the internet; 2015. in Google Scholar

[2] Mansfield-Devine S. DDoS goes mainstream: How headline-grabbing attacks could make this threat an organization’s biggest nightmare. Netw Secur. 2016;2016(11):7–13. 10.1016/S1353-4858(16)30104-0.Search in Google Scholar

[3] Harbi Y. “Security in internet of things.” Doctoral dissertation. Setif, Algeria: Setif University; 2021.Search in Google Scholar

[4] Maseer ZK, Yusof R, Mostafa SA, Bahaman N, Musa O, Al-rimy BAS. DeepIoT. IDS: Hybrid deep learning for enhancing IoT network intrusion detection. CMC-Comput Mater Continua. 2021;69(3):3945–66.10.32604/cmc.2021.016074Search in Google Scholar

[5] Al-Hadhrami Y, Hussain FK. DDoS attacks in IoT networks: A comprehensive systematic literature review. World Wide Web. 2021;24(3):971–1001.10.1007/s11280-020-00855-2Search in Google Scholar

[6] Douligeris C, Mitrokotsa A. DDoS attacks and defense mechanisms: Classification and state-of-the-art. Comput Netw. 2004;44(5):643–66. 10.1016/j.comnet.2003.10.003.Search in Google Scholar

[7] Khalaf BA, Mostafa SA, Mustapha A, Mohammed MA, Abduallah WM. Comprehensive review of artificial intelligence and statistical approaches in distributed denial of service attack and defense methods. IEEE Access. 2019;7:51691–713. 10.1109/ACCESS.2019.2908998.Search in Google Scholar

[8] Awan MJ, Farooq U, Babar HMA, Yasin A, Nobanee H, Hussain M, et al. Real-time DDoS attack detection system using big data approach. Sustainability. 2021;13(19):10743.10.3390/su131910743Search in Google Scholar

[9] Ali MH, Jaber MM, Abd SK, Rehman A, Awan MJ, Damaševičius R, et al. Threat analysis and distributed denial of service (DDoS) attack recognition in the internet of things (IoT). Electronics. 2022;11(3):494.10.3390/electronics11030494Search in Google Scholar

[10] Marapelli B, Carie A, Islam SM. RNN-CNN Model: A Bi-directional Long short-term memory deep learning network for story point estimation. 2020 5th International Conference on Innovative Technologies in Intelligent Systems and Industrial Applications (CITISIA). Sydney: IEEE; 2020. p. 1–7.10.1109/CITISIA50690.2020.9371770Search in Google Scholar

[11] Brownlee J. Start Machine Learning; 2017. in Google Scholar

[12] Doshi R, Apthorpe N, Feamster N. Machine learning DDoS detection for consumer internet of things devices. Proceedings - 2018 IEEE Symposium on Security and Privacy Workshops, SPW 2018; 2018. p. 29–35. 10.1109/SPW.2018.00013.Search in Google Scholar

[13] Sharafaldin I, Lashkari AH, Ghorbani AA. Toward generating a new intrusion detection dataset and intrusion traffic characterization. ICISSP 2018 - Proc. 4th Int. Conf. Inf. Syst. Secur. Priv., vol. 2018-January, Cic; 2018. p. 108–16. 10.5220/0006639801080116.Search in Google Scholar

[14] Tang TA, McLernon D, Mhamdi L, Zaidi SAR, Ghogho M. Intrusion detection in SDN-based networks: Deep recurrent neural network approach. Adv Sci Technol Secur Appl. 2019;2019:175–95. 10.1007/978-3-030-13057-2_8.Search in Google Scholar

[15] Khempetch T, Wuttidittachotti P. DDoS attack detection using deep learning. IAES Int J Artif Intell. 2021;10(2):382–8. 10.11591/ijai.v10.i2.pp382-388.Search in Google Scholar

[16] Hossain MD, Ochiai H, Fall D, Kadobayashi Y. LSTM-based network attack detection: Performance comparison by hyper-parameter values tuning. 2020 7th IEEE Int. Conf. Cyber Secur. Cloud Comput. 2020 6th IEEE Int. Conf. Edge Comput. Scalable Cloud, CSCloud-EdgeCom 2020; 2020. p. 62–9. 10.1109/CSCloud-EdgeCom49738.2020.00020.Search in Google Scholar

[17] Khan MA. HCRNNIDS: Hybrid convolutional recurrent neural network-based network intrusion detection system. Processes. 2021;9(5):834. 10.3390/pr9050834.Search in Google Scholar

[18] Roopak M, Yun Tian G, Chambers J. Deep learning models for cyber security in IoT networks. 2019 IEEE 9th Annu. Comput. Commun. Work. Conf. CCWC 2019; 2019. p. 452–7. 10.1109/CCWC.2019.8666588.Search in Google Scholar

[19] Maseer ZK, Yusof R, Bahaman N, Mostafa SA, Foozy CFM. Benchmarking of machine learning for anomaly based intrusion detection systems in the CICIDS2017 dataset. IEEE Access. 2021;9:22351–70.10.1109/ACCESS.2021.3056614Search in Google Scholar

[20] DiPietro R, Hager GD. Deep learning: RNNs and LSTM. In Handbook of medical image computing and computer assisted intervention. Academic Press; 2020. p. 503–19.10.1016/B978-0-12-816176-0.00026-0Search in Google Scholar

[21] Feng W, Guan N, Li Y, Zhang X, Luo Z. Audio visual speech recognition with multimodal recurrent neural networks. Proc Int Jt Conf Neural Networks. 2017;2017:681–8. 10.1109/IJCNN.2017.7965918.Search in Google Scholar

[22] Jmour N, Zayen S, Abdelkrim A. Convolutional neural networks for image classification. 2018 International Conference on Advanced Systems and Electric Technologies (IC_ASET). Hammamet: IEEE; 2018. p. 397–40210.1109/ASET.2018.8379889Search in Google Scholar

[23] Hu J, Li S, Hu J, Yang G. A hierarchical feature extraction model for multi-label mechanical patent classification. Sustainability. 2018;10(1):219.10.3390/su10010219Search in Google Scholar

[24] Nguyen TP, Yeh CT, Cho MY, Chang CL, Chen MJ. Convolutional neural network bidirectional long short-term memory to online classify the distribution insulator leakage currents. Electr Power Syst Res. 2022;208:107923.10.1016/j.epsr.2022.107923Search in Google Scholar

[25] Bediako PK. Long short-term memory recurrent neural network for detecting DDoS flooding attacks within TensorFlow Implementation framework; 2017. p. 31.Search in Google Scholar

[26] Schuster M, Paliwal KK. Bidirectional recurrent neural networks. IEEE Trans Signal Process. 1997;45(11):2673–81. 10.1109/78.650093.Search in Google Scholar

[27] Azizan AH, Mostafa SA, Mustapha A, Foozy CFM, Wahab MHA, Mohammed MA, et al. A machine learning approach for improving the performance of network intrusion detection systems. Ann Emerg Technol Comput (AETiC). 2021;5(5):201–8. ISO 690.10.33166/AETiC.2021.05.025Search in Google Scholar

[28] Zulhilmi A, Mostafa SA, Khalaf BA, Mustapha A, Tenah SS. A comparison of three machine learning algorithms in the classification of network intrusion. International Conference on Advances in Cyber Security. Singapore: Springer; 2020. p. 313–24.10.1007/978-981-33-6835-4_21Search in Google Scholar

Received: 2022-03-18
Revised: 2022-06-11
Accepted: 2022-07-04
Published Online: 2023-01-12

© 2023 the author(s), published by De Gruyter

This work is licensed under the Creative Commons Attribution 4.0 International License.

Downloaded on 30.9.2023 from
Scroll to top button