Enhancing DDoS Attack Detection in IoT Networks Through Pruned Deep Ensemble Learning

Abstract

DDoS attacks prove to be the biggest roadblocks to the maintenance and stability of the IoT environment, occasionally causing network congestions, shutdowns, and breaches of data integrity. In this regard, setting up an intelligent ensemble learning framework for DDoS detection over IoT infrastructures involves pruning of models with an aim of maximizing performance and minimizing computation. The ensemble learning consists of two models first, stacking classifier RF , GB and second, voting classifier of LR, DT, KNN, CNN and LSTM. TPOT Classifier is an automatic approach to model and hyperparameter selection and tuning, maintaining optimized ML pipelines. The features of the dataset include some major network flow feature attributes such as time, the total amount of forward directions of packets, the total amount of backward directions of packets, The packet length forward, the packet length backward, packets backward, statistical length of packet, and the amount of the packet flag. This is very wide scope of factors which is necessary to define the valid traffic. The tendency of pruning ( redundancy or less informative ) of the ensemble models provides an opportunity of removing the redundant or less informative classifiers, improve computing efficiency without reducing the predictive accuracy. As to the existing measures of performance, The CNN, LSTM outcomes of the experiment that have been described in the paper have shown that the given technique might be effectively employed in an effort to target the identification of DDoS attacks, and the false positives rates would not be high. The high prevalence of DDoS attacks makes the proposed methodology worthwhile in terms of detecting DDoS due to the scalability of the method as well as because IoT networks are limited in resources. The experimental results reflect that fine ensemble training with pruning can show a superior trade-off relative to the traditional machine learning methods; therefore, providing a mature and scaled security methodology in IoT network.

Introduction

• The rise of the Internet of Things (IoT) has increased connectivity but also exposed networks to cyberattacks, particularly DDoS attacks.

• IoT devices are resource-constrained, making it hard to detect and mitigate such attacks using traditional security methods.

• The study proposes a lightweight, accurate, and scalable DDoS detection system using deep ensemble learning and pruning techniques, combining models like stacking, voting, and AutoML (TPOT).

II. Literature Review

• [1] Saiyed & Al-Anbagi: Proposed a deep ensemble model with pruning for efficient and real-time DDoS detection in IoT networks.

• [2] Shafique et al.: Surveyed existing detection methods (signature-based, anomaly-based, hybrid), stressing the need for scalable and adaptive techniques.

• [3] Ahmad et al.: Developed a hybrid model using multiple classifiers and feature selection to optimize accuracy and efficiency.

• [4] Al-Mamun et al.: Emphasized ensemble methods (bagging, boosting) for increased robustness and detection accuracy.

• [5] Ali et al.: Used deep learning (CNN, RNN) to create an accurate and low-latency DDoS detection system.

III. System Architecture

A. Frontend Features

• Login/Registration: Secure user access.

• Home Dashboard: Navigation to prediction and performance pages.

• Prediction Page: User inputs characteristics; receives attack prediction.

• Performance Page: Shows model accuracy and algorithm names.

• Logout: Safely ends user session.

B. Backend Functions

• Data Collection & Preprocessing: Cleans and formats raw traffic data for model input.

IV. Models Used

1. Stacking Classifier

• Combines Random Forest and Gradient Boosting as base learners.

• Uses Logistic Regression as the meta-learner for final prediction.

• Benefits: High accuracy, feature interaction handling, model diversity.

2. Voting Classifier

• Combines Logistic Regression, KNN, and Decision Tree.

• Final prediction via majority voting.

• Benefits: Robustness through diversity, improved generalization.

3. TPOT Classifier (AutoML)

• Uses genetic programming to automatically generate and optimize ML pipelines.

• Searches for best models, features, and hyperparameters.

• Benefits: Time-efficient, effective for rapid prototyping.

4. Convolutional Neural Network (CNN)

• Learns spatial hierarchies in data automatically.

• Best for identifying complex traffic patterns.

• Benefits: High accuracy, effective for structured/sequential traffic data.

5. Long Short-Term Memory (LSTM)

• Specialized in processing time-series/sequential data.

• Captures long-term dependencies in traffic behavior.

• Benefits: Excellent for dynamic, time-sensitive network traffic detection.

V. Results and Discussion

A. Technologies Used

• Backend: Flask, MySQL, Pandas, NumPy, scikit-learn, TPOT, Keras/TensorFlow.

• Flask web app includes user auth, prediction system, and model performance display.

B. Data Handling

• CSV dataset loaded and cleaned.

• Train/test split performed.

• Traditional ML and deep learning models trained separately.

C. Exploratory Data Analysis (EDA)

• Right-skewed distributions indicate:

  • Most network flows are normal with low values.

  • Some outliers may represent anomalies or attacks.

• Flow IAT and packet length variances reveal both regular and erratic traffic.

• Patterns in Fwd/Bwd packets/s suggest low traffic is common; spikes could indicate DDoS activity.

VI. Proposed Contribution

• Introduces a comprehensive DDoS detection system tailored for IoT environments.

• Combines ensemble learning, deep learning, and AutoML to ensure:

  • High detection accuracy.

  • Low resource usage.

  • Real-time detection feasibility.

• Emphasizes the need for scalable and adaptive security mechanisms in light of growing IoT threats.

Conclusion

The paper suggests the technique that may become quite useful in the identification of the Distributed Denial of Service (DDoS) attack beat in the Internet of Things (IoT) based networks with the concept of the new deep ensemble learning approach. By comparing and combining Stacking Classifier, Voting Classifier and TPOT Classifier in the pipeline Optimization process we achieved a Detection accuracy score of 99 and 98 percent, the latter performing almost equally well. The CNN classifier was somewhat encouraging with a reading of 96 as opposed to that of LSTM which read 82. The calculation performance is complemented with the use of the method of pruning, which deletes models not required, thus improve accuracy in the prediction and efficiency. The effectiveness in separating typical and malicious network flows patterns, reflected in cross-validation and F1 score, may be explained by the high level of feature extraction based on the dataset, and in turn capturing the essential properties of the network flows. It is no surprise that the research findings reveal that deep ensemble model can deliver high detection accuracies bearing in mind that it poses a challenge to the limitations of IoT resources hence contributing to the scaling challenge in the securities of IoT networks amid DDoS attacks. Although this study is also capable of providing an influential contribution to knowledge development on the issue of cybersecurity.

References

[1] M. F. Saiyedand and I. Al-Anbagi, “Deep Ensemble Learning With Pruning for DDoS Attack Detection in IoT Networks,” in IEEE Transactions on Machine Learning in Communications and Networking, vol. 2,pp.596-616, 2024,doi:10.1109/TMLCN.2024.3395419. [2] Shafique, H., Gupta, K. K., Awan, M. S., & Babar, M. U. (2021). A survey of detection mechanisms for Distributed Denial of Service (DDoS) attacks in Internet of Things (IoT) networks. IEEE Access, 9, 102988–103005.https://doi.org/10.1109/ACCESS.2021.3098043 [3] Ahmad, S., Bakar, A. H. A., & Ali, M. I. (2021). A hybrid machine learning-based model for detecting DDoS attacks in IoT environments. Future Generation ComputerSystems,119,41–54. https://doi.org/10.1016/j.future.2021.01.016 [4] Al-Mamun, M., Abdullah, A. I., & Khan, M. K. (2021). Application of ensemble learning for detecting DDoS attacks in IoT networks. Journal of Information Security andApplications,57,102758. https://doi.org/10.1016/j.jisa.2020.102758 [5] Ali, W. M. M., Abed, H. S., & Zawawi, N. A. A. (2022). A deep learning approach to efficient detection of DDoS attacks in IoT networks. IEEE Access, 10, 20645–20659. https://doi.org/10.1109/ACCESS.2022.314294 [6] Verma, R., Srivastava, A. K., & Gupta, R. K. (2022). Deep learning-based approach for DDoS attack detection in IoT networks. Journal of Computer Networks and Communications, 2022, 1–12. https://doi.org/10.1155/2022/2039265 [7] Qureshi, F. A., Alazab, H. H., & Alzahrani, A. J. H. (2021). A review of DDoS attack detection techniques in IoT networks. Computers & Security, 110, 102427. https://doi.org/10.1016/j.cose.2021.102427 [8] Santos, J. L. M. B., Silva, E. M. F. D., & Silva, R. D. S. (2020). An ensemble learning technique for DDoS attack detection in IoT environments. IEEE Latin AmericaTransactions,18(6),1058–1065. https://doi.org/10.1109/TLA.2020.9189155 [9] Ghosh, S. N., Rajan, R. D. S., & Nair, P. D. S. (2021). An extensive review of machine learning algorithms for detecting DDoS attacks in IoT systems. Journal of Network and Computer Applications, 174, 102866. https://doi.org/10.1016/j.jnca.2020.10286 [10] Arshad, M., Hussain, A. W., & Qureshi, A. G. (2021). A comprehensive survey on deep learning methods for DDoS attack detection in IoT networks. Future GenerationComputerSystems,115,23–37. https://doi.org/10.1016/j.future.2020.08.019 [11] Noor, M. I. S. M., Mohd, A. A. H. Y., & Zulkifli, Z. M. Z. (2022). An ensemble learning-based approach for effective detection of DDoS attacks in IoT networks. Journal of King Saud University - Computer and InformationSciences,34(2),187–194. https://doi.org/10.1016/j.jksuci.2019.06.006

Copyright

Copyright © 2025 Asundi Kamal Jason. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.