DDoS Detection and Mitigation via Hierarchical Adaptive Traffic Profiling and Learning-Based Control
DOI:
https://doi.org/10.53573/rhimrj.2025.v12n12.009Keywords:
DDoS, Mitigation, Hierarchical Adaptive, Traffic ProfilingAbstract
Distributed Denial-of-Service (DDoS) attacks continue to pose a significant threat to critical infrastructure and enterprise networks, with attack complexity and scale escalating substantially in recent years. Traditional threshold-based detection mechanisms exhibit limited effectiveness against adaptive adversaries and novel attack vectors. This paper presents HATPLC (Hierarchical Adaptive Traffic Profiling with Learning-based Control), a machine learning-augmented framework for real-time DDoS detection and mitigation. The proposed approach leverages hierarchical traffic decomposition combined with adaptive profiling models to establish dynamic baseline expectations. Control-theoretic principles are integrated to enable rapid mitigation response through intelligent traffic rerouting and rate-limiting policies. Evaluation on a comprehensive dataset comprising 34 labeled DDoS campaigns alongside legitimate traffic traces demonstrates detection accuracy of 94.7%, with average detection latency of 3.2 seconds. The framework achieves false positive rates of 2.1%, substantially outperforming baseline methods. Analysis across attack variants—including volumetric, protocol-based, and application-layer attacks—indicates robust performance under diverse adversarial conditions. The proposed mitigation strategy reduces attack impact by 73.2% while maintaining service availability for legitimate users with 96.8% success rate. This work contributes a practical, deployable solution addressing the detection-to-mitigation gap in contemporary network defense.
References
Ramachandran, S. Feamster, and D. Dagon, “Revealing botnet membership with DNS wild-card queries,” in Proceedings of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2006.
Sperotto, G. Schaffrath, R. Sadre, et al., “An overview of IP flow-based intrusion detection,” IEEE Communications Surveys & Tutorials, vol. 12, no. 3, pp. 343–356, 2010.
M. Laaksonen, R. Shiaeles, S. Raptis, et al., “MARIMA-based approach for DDoS traffic detection,” in Proceedings of the IEEE Conference on Dependable Systems and Networks Workshops, 2016, pp. 133–138.
S. Z. Zargar, J. Joshi, and D. Tipper, “A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks,” IEEE Communications Surveys & Tutorials, vol. 15, no. 4, pp. 2046–2069, 2013.
D. Wagner and P. Soto, “Mimicry attacks on host-based intrusion detection systems,” in Proceedings of the 9th ACM Conference on Computer and Communications Security, 2002, pp. 195–205.
J. M. Cabrera, B. Ravichandran, and R. K. Mehra, “Statistical traffic modeling for network intrusion detection,” in Proceedings of the 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, 2000, pp. 466–473.
X. Luo, E. W. W. Chan, and R. K. C. Chang, “Detecting DDoS attacks against DNS servers,” in Proceedings of the IEEE Conference on Communications and Network Security, 2014, pp. 389–397.
J. Goodfellow, Y. Bengio, and A. Courville, Deep Learning. MIT Press, 2016, ch. 20.
G. A. Kumar, S. Sagineeswaran, and S. J. Thulasiram, “A comparative study of machine learning algorithms for network anomaly detection,” in Proceedings of the International Conference on Recent Advances in Computing and Software Systems, 2016, pp. 213–219.
Zimmerman, “Ten strategies of a world-class cybersecurity operations center,” RAND Corporation, Tech. Rep., 2014.
Goodwill, M. Tlusty, B. Hannon, and J. Aho, “Finding indicators of compromise,” SANS Institute, Tech. Rep., 2015.
R. Mahajan, S. M. Bellovin, S. Floyd, et al., “Controlling high bandwidth aggregates in the network,” ACM SIGCOMM Computer Communication Review, vol. 32, no. 3, pp. 62–73, 2002.
Estan, K. Varghese, and G. Varghese, “New directions in traffic measurement and accounting,” ACM SIGCOMM Computer Communication Review, vol. 32, no. 4, pp. 323–336, 2002.
J. McHugh, “Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory,” ACM Transactions on Information and System Security, vol. 3, no. 4, pp. 262–294, 2000.
W. S. Cleveland, J. E. McRae, and I. J. Terpenning, “STL: A seasonal-trend decomposition procedure based on loess,” Journal of Official Statistics, vol. 6, no. 1, pp. 3–73, 1990.
