Adaptive Firewall for DDOS Mitigation in AWS Cloud: A Self-Learning Security Architecture

Abstract

Distributed Denial-of-Service attacks are a problem for applications that are hosted on the cloud. These Distributed Denial-of-Service attacks often cause the applications to stop working and result in losses. Amazon Web Services does have some built in protections like AWS Shield and WAF. However these protections are mostly static. They only react to problems after they happen. This research is about a kind of firewall that can teach itself and adapt to Distributed Denial-of-Service attacks, in Amazon Web Services environments. The system we propose uses AWS WAF, Shield, CloudWatch, Athena and Lambda to make a loop that automatically gives feedback in time. The system keeps an eye on traffic logs. It looks for things that are not normal using limits and patterns. When it finds something it changes the firewall rules to stop that bad traffic.The system also has a part that stores information about the things it finds. This helps the system get better over time. The people who made the system tested it with attacks to see how well it works. The system was able to find and stop these attacks quickly. It did not make mistakes. The system is good because it can change and get better as new threats come out. This means people do not have to fix it all the time. The traffic logs and firewall rules and threat intelligence all work together to make the system work well. This study offers a scalable, serverless security model for AWS that is both cost-effective and intelligent. It contributes to cloud security practices by enabling proactive defense mechanisms that respond and learn in real time.

Introduction

The text examines the growing threat of Distributed Denial of Service (DDoS) attacks in cloud environments, particularly within Amazon Web Services (AWS), as cloud computing continues to expand globally. The rapid adoption of cloud services has increased both the scale and sophistication of cyberattacks, making traditional firewalls and intrusion prevention systems insufficient due to their lack of scalability, intelligence, and automation.

DDoS attacks overwhelm systems with massive malicious traffic from multiple sources, rendering services unavailable. Although AWS provides built-in protections such as AWS Shield and AWS WAF, these solutions are largely reactive and require manual configuration. The paper proposes an intelligent, adaptive firewall that autonomously detects, learns, and mitigates evolving DDoS threats without human intervention, using AWS-native services like WAF, Lambda, CloudWatch, Athena, and DynamoDB.

A review of global DDoS trends (2015–2025) highlights a steady increase in attack frequency and complexity, driven by IoT botnets, multi-vector attacks, geopolitical conflicts, and application-layer vulnerabilities. Related work discusses early adaptive mitigation approaches such as Adaptive History-Based IP Filtering (AHIF), which demonstrated improved accuracy in minimizing false positives, and outlines AWS’s existing DDoS defense mechanisms.

The proposed adaptive firewall incorporates self-learning threat detection, analyzing real-time traffic characteristics to identify volumetric, protocol-based, and application-layer attacks. Machine learning models distinguish normal traffic from attack patterns, reducing false positives during legitimate traffic spikes. AWS’s scalability and event-driven automation enable rapid, real-time mitigation actions such as intelligent rate limiting, behavioral blocking, and geo-based filtering.

The discussion emphasizes that AI-driven, adaptive firewalls significantly outperform static, rule-based systems by continuously learning network behavior and responding dynamically to new and stealthy attack patterns. This approach is particularly effective in AWS environments where traffic patterns change rapidly due to auto-scaling and distributed workloads, ultimately improving availability, resilience, and security against modern DDoS attacks.

Conclusion

This paper proposed a dynamic firewall design for DDoS mitigation in the AWS cloud, using self learning methods to overcome the drawbacks of traditional static security measures. The use of intelligent traffic monitoring combined with the automation of attack response inside the system allows it to identify and handle not only known but also new patterns of DDoS attack in real time. The study reveals that the self learning method can live up to its promise, differentiating malicious intent from legitimate traffic even under the changing scenarios of the cloud environment. Working with AWS, native services lays down the foundation for a defense that is scalable, cost, efficient, and mostly automated, lessening the reliance on rule configurations done by hand and thereby, raising the robustness of the system as a whole. The changeable quality of the firewall is a feature that security policy upgrading can take advantage of which makes it a perfect fit for the world of threats that is constantly changing.

References

[1] Patil, S. P., Basthikodi, M., Kumaraswamy, S., Gurpur, A. P., & Raga, A. (2024). Enhancing Cloud Security by Integrating Data Masking Techniques with AWS for Effective DDoS Prevention. International Journal of Intelligent Systems and Applications in Engineering. Demonstrates integration of AWS features for DDoS prevention. [2] Saqib, M., Mehta, D., Yashu, F., & Malhotra, S. (2025). Adaptive Security Policy Management in Cloud Environments Using Reinforcement Learning. arXiv preprint. Discusses adaptive policy (firewall) updates using machine learning in cloud settings. [3] Advancements in detecting, preventing, and mitigating DDoS attacks in cloud environments: A comprehensive systematic review of state-of-the-art approaches. Egyptian Informatics Journal. Reviews modern cloud DDoS mitigation strategies relevant to AWS adaptive defenses. [4] Sihotang, H. T., Alrasyid, W., Delano, A., Jacob, H., &Manajemen, G. P. R. (Year). Vulnerability Analysis and Mitigation Strategies of DDoS Attacks on Cloud Infrastructure. Journal Basic Science and Technology. Compares traditional and advanced defenses, including adaptive mechanisms. [5] Osanaiye, O., Choo, K.-K. R., Dehghantanha, A., Xu, Z., & Dlodlo, M. (2018). Ensemble-based Multi-Filter Feature Selection Method for DDoS Detection in Cloud Computing. arXiv. Addresses detection accuracy improvements important for adaptive filtering. [6] AWS Firewall Manager now supports AWS Shield Advanced automatic application layer DDoS mitigation — AWS announcement of automated DDoS mitigation integration with Firewall Manager [7] Enabling automatic application layer DDoS mitigation — AWS WAF & Shield Advanced documentation on how AWS automatically mitigates L7 DDoS using adaptive rule groups. [8] How AWS Shield mitigates events — AWS documentation explaining DDoS mitigation mechanisms in AWS Shield & WAF. [9] Amazon WAF Distributed Denial of Service (DDoS) prevention rule group — AWS guide to applying anti-DDoS managed rules in WAF for adaptive flow labeling & mitigation. [10] Example Shield Advanced DDoS resiliency architecture for common web applications — AWS architecture reference for resilient DDoS protection using WAF + Shield.

Copyright

Copyright © 2026 Siddhi Yeole, Saloni Sawant, Prof. Jayesh Shinde. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.