https://doi.org/10.1140/epjp/s13360-025-07213-z
Regular Article
DDoSAE: a novel deep autoencoder framework for low-rate DDoS attack detection
1
Department of CSE (AIML), MLR Institute of Technology Hyderabad, Hyderabad, Telangana, India
2
Department of Computer Science and Engineering, Anantha Lakshmi Institute of Technology and Sciences, Anantapur, Andhra Pradesh, India
3
Department of AIML, Chaitanya Bharati Institute of Technology, Hyderabad, Telangana, India
4
CSE(AI&ML), Kakatiya Institute of Technology and Science, 506371, Warangal Telangana, India
5
CSE-Data Science, Vaagdevi College of Engineering, Warangal, Telangana, India
6
Department of CSE - Cyber Security, Malla Reddy Engineering College, Hyderabad, Telangana, India
a
This email address is being protected from spambots. You need JavaScript enabled to view it.
Received:
7
May
2025
Accepted:
13
December
2025
Published online:
27
December
2025
Abstract
Low-rate DDoS attacks are proliferating, and they send packets that are indistinguishable from standard traffic patterns, thus hampering detection via signature-based and statistical approaches. Although some success has been recorded via traditional machine learning approaches such as support vector machines, decision trees, and ensemble classifiers, high false positive rates, dependence on feature engineering, and inflexibility to changing patterns of attacks still prevail. While deep learning models (like CNNs and RNNs) have shown potential, they may need large amounts of labeled data and computational resources, making them harder to deploy in real-time. To overcome these limitations, we propose a novel DDoSAE framework for low-rate DDoS detection by utilizing unsupervised anomaly detection based on a deep autoencoder, an unsupervised model that automatically determines the standard traffic patterns and uses reconstruction error distributions to detect anomalies. It includes dropout-based regularization, batch normalization, and adaptive threshold mechanism to make it robust and reduce false positives. We evaluate the DDoSAE algorithm in CIC-IDS2017 and CIC-DDoS2019 datasets; DDoSAE achieves a detection accuracy of 98.56 percent and a false positive rate of 1.2 percent, which outperforms the existing state-of-the-art machine learning and deep learning models. The CIF sets recovery performance (DDoSAE vs. base) also shows that DDoSAE is effective at faster, cost-efficient, low-rate, stealthy DDoS detection and, thus, appropriate for real-time network security applications. Our framework ensures scale and flexibility and is a potential candidate for offering a solution for securing modern network infrastructure against the continuously evolving threat landscape.
Copyright comment Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
© The Author(s), under exclusive licence to Società Italiana di Fisica and Springer-Verlag GmbH Germany, part of Springer Nature 2025
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
