Hybrid Rule-Based and Machine Learning Intrusion Detection System for DDoS Detection in Cyber-Physical Production Systems

Abstract

The industrial system now functions differently as a result of recent developments in communication technology. The process has become more transparent as a result of the better communication between the various entities involved in cyber physical production systems (CPPS), including manufacturers, suppliers, and users. The availability of the production systems may be threatened by the adoption of cutting-edge new technologies in CPPS, which may create weak points that attackers may utilize to conduct complex distributed denial of service (DDoS) assaults. Current machine learning-based intrusion detection systems (IDS) frequently skip the critical testing stage with real-time scenarios since they rely on irrational datasets for training and validation. The ML models\' outputs are predicated on predictions made at every stage of the flow and are unable to offer a comprehensive picture of malevolent actors. This study suggested an effective IDS system that employs both rule-based detection and machine learning techniques to identify DDoS attacks that harm CPPS\'s infrastructure in order to overcome this constraint. We use real-time network traffic taken from an actual industrial setting, known as a Farm-to-Fork (F2F) supply chain system, for system training and validation. CIC-FLOWMETER was used to extract bidirectional features from both attacks and regular traffic. We employ 8 ML supervised and unsupervised techniques to identify the harmful flows. The frequency of the malicious flows is then determined using a rule-based detection mechanism, and the frequency is used to assign varying severity levels.

Introduction

The fourth industrial revolution (Industry 4.0) has transformed factories into cyber-physical production systems (CPPS), integrating AI, IoT, cloud computing, edge computing, and M2M connectivity. This connectivity improves productivity, product quality, cost efficiency, and sustainability, but also increases exposure to cybersecurity threats such as ransomware and DDoS attacks, especially in IoT-heavy sectors like the farm-to-fork food supply chain. These attacks can disrupt operations, reduce output quality, and cause financial and reputational losses, highlighting the need for advanced intrusion detection systems (IDS).

The study reviews recent research on machine learning and deep learning approaches—such as KNN, SVM, Random Forest, CNN, LSTM, and hybrid models—for detecting network intrusions and classifying attacks, using datasets like KDD, NSL-KDD, CICIDS, and UNSW-NB15. Preprocessing techniques and traffic feature selection can significantly improve detection accuracy.

The proposed system includes modules for service providers (dataset management, model training/testing, and accuracy visualization) and remote users (attack prediction and profile management). Algorithms implemented include SVM, Logistic Regression, Random Forest, and Naïve Bayes, all applied to classify and predict DDoS attacks. Graphical analyses provide real-time insights into model performance, improving monitoring and security of CPPS in the food supply chain.

Conclusion

In this study, we suggested a comprehensive, methodical approach to DDOS assault detection. The UNSW-nb15 dataset, which includes details on the DDoS attacks, was first chosen from the GitHub source. The Australian Centre for Cyber Security (ACCS) supplied this dataset. Data wrangling was then done using a notebook that included Python and Jupyter. Second, the dataset was separated into two classes: the independent class and the dependent class. For the algorithm, we also normalized the dataset. Following the normalization of the data, we used the suggested supervised machine learning method. The supervised algorithm produced classification and prediction results for the model. Next, we applied the categorization algorithms XGBoost and Random Forest. We found that the Random Forest Precision (PR) and Recall (RE) are both roughly 89% accurate in the initial classification. Additionally, we observed that the suggested model had an average Accuracy (AC) of about 89%, which is very fantastic and sufficient. Keep in mind that the F1 score is 89% based on the average accuracy. We observed that the XGBoost Precision (PR) and Recall (RE) are both roughly 90% accurate for the second classification. We observed an average Accuracy (AC) of almost 90% for the proposed model, which is fantastic and incredibly intelligent. Once more, the F1 score is 90% based on the average Accuracy. The precision of the previous research\'s flaw determination, which was 85% and 79%, was particularly noteworthy when compared to the planntly improved.

References

[1] \"Adversarial machine learning applied to intrusion and malware scenarios: A systematic review,\" by N. Martins, J. M. Cruz, T. Cruz, and P. H. Abreu, IEEE Access, vol. 8, pp. 3540335419, 2020. [2] Increasing the performance of machine learning-based intrusion detection systems on an unbalanced and current dataset, G. Karatas, O. Demir, and O. K. Sahingoz, IEEE Access, vol. 8, pp. 3215032162, 2020. [3] BAT: Deep learning techniques on network intrusion detection using NSL-KDD dataset,\'\' IEEE Access, vol. 8, pp. 2957529585, 2020; T. Su, H. Sun, J. Zhu, S. Wang, and Y. Li. [4] \"Network intrusion detection based on PSO-xgboost model,\" by H. Jiang, Z. He, G. Ye, and H. Zhang, IEEE Access, vol. 8, pp. 5839258401, 2020 [5] \"Similarity based feature transformation for network anomaly detection,\" by A. Nagaraja, U. Boregowda, K. Khatatneh, R. Vangipuram, R. Nuvvusetty, and V. S. Kiran, IEEE Access, vol. 8, pp. 3918439196, 2020. [6] Classification hardness for supervised learners on 20 years of intrusion detection data, by L. D\'hooge, T. Wauters, B. Volckaert, and F. De Turck, IEEE Access, vol. 7, pp. 167455167469, 2019.

Copyright

Copyright © 2026 T. Dayakar Reddy, P. Priyanka. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.