Lightweight Statistical DDoS Detection for Resource-Constrained Networks: Design, Implementation, and Evaluation

Abstract

Distributed Denial of Service (DDoS) attacks pose a significant threat to network availability, yet small networks (SOHO, small businesses, educational labs) remain vulnerable due to the high cost and computational demands of enterprise-grade protection systems. This paper presents a lightweight statistical DDoS detection system designed specifically for resource-constrained embedded hardware. Our approach combines packet rate analysis with source IP entropy calculation, eliminating the need for computationally expensive deep packet inspection. The system monitors packet headers only, using Shannon entropy to distinguish legitimate traffic from distributed attacks while maintaining minimal resource consumption.

Introduction

The text discusses the growing security risks faced by small networks due to increased digital connectivity and explains the need for lightweight, efficient intrusion detection systems (IDS). Traditional enterprise-grade security solutions like Snort, Suricata, and cloud-based services are often too expensive, resource-intensive, or complex for small businesses and home networks. These environments typically rely on low-power hardware with limited memory and processing capability, making advanced IDS solutions impractical.

Existing approaches—such as signature-based detection, flow analysis, cloud-based protection, and simple rate limiting—each have limitations in terms of accuracy, cost, latency, privacy, or hardware requirements. This creates a clear research gap for a solution that is accurate, lightweight, real-time, cost-free, and privacy-preserving.

To address this, the paper introduces ShieldLight, a lightweight DDoS detection system designed for embedded devices. It uses a dual-threshold algorithm combining packet rate analysis and IP entropy to detect attacks efficiently. The system is optimized for low-resource environments (such as Raspberry Pi and OpenWrt routers) and aims to provide real-time detection with minimal CPU and memory usage while maintaining 80–90% accuracy. It is also open-source and designed for easy deployment.

The literature review traces the evolution of intrusion detection systems from early statistical methods to modern machine learning and cloud-based solutions. It highlights that while accuracy has improved, most systems are not suitable for resource-constrained devices. Prior research in entropy-based detection and lightweight ML models shows promise but lacks practical, real-world embedded deployment.

ShieldLight addresses these gaps by providing a lightweight, open-source, and edge-deployable IDS. It achieves a balance between detection accuracy and resource efficiency while ensuring privacy through on-premises processing. The system is evaluated across multiple attack types and hardware platforms, demonstrating its suitability for small-scale networks.

Conclusion

A. Summary of Contributions This paper presented ShieldLight, a lightweight DDoS detection engine specifically designed for resource-constrained small networks. Through entropy-based statistical analysis and optimized data structures, ShieldLight achieves: - 86.4% detection accuracy across SYN, UDP, and ICMP flood attacks - 118 MB memory footprint on Raspberry Pi 3B+ - 17.8% CPU utilization under attack conditions - 2.4 second average detection latency - Successful operation on OpenWrt routers with 256 MB RAM These results demonstrate that ShieldLight meets its design goals of providing acceptable DDoS detection within the constraints of small network infrastructure. B. Implications ShieldLight has significant implications for small network security: Democratization of DDoS Protection: For the first time, organizations with sub-$50 hardware can deploy effective DDoS detection without recurring costs or cloud dependencies. Improved Internet Hygiene: By making DDoS detection accessible to small networks, ShieldLight helps prevent these networks from being co-opted into botnets that launch attacks on others. Privacy-Preserving Security: Local detection preserves traffic privacy while maintaining effectiveness against volumetric attacks. C. Final Remarks The security of small networks has been overlooked by an industry focused on enterprise solutions. ShieldLight addresses this gap by providing a solution that respects the economic, technical, and hardware constraints of small organizations. We believe that accessible security tools like ShieldLight are essential for improving the overall resilience of the internet ecosystem. The source code for ShieldLight is available open-source at [GitHub Repository], and we invite the community to contribute to its ongoing development.

References

[1] Cisco, \"Cisco Annual Internet Report (2018-2023),\" White Paper, 2020. [2] Prof.Shital S. Patil, Mr.Om P. Raut, Mr.Karan K. Targe, Ms.Lakshmi P. Kasar, and Ms.Sakshi A. Raut, “Intelligent Lightweight Real-Time DoS/DDoS Attack Detection and IoT-Based Alerting Framework with Performance Evaluation for Small-Scale Network Environments,” International Journal of Scientific Research in Engineering and Management (IJSREM), vol. 10, no. 02, Feb. 2026, doi: 10.55041/IJSREM57006. [3] Prof.Shital S. Patil, Mr.Om P. Raut, Mr.Karan K. Targe, Ms.Lakshmi P. Kasar, and Ms.Sakshi A. Raut,, “ShieldLight: Lightweight Real-Time DDoS Detection for Small Networks,” International Research Journal of Modernization in Engineering Technology and Science (IRJMETS), vol. 08, no. 02, Feb. 2026, doi: 10.56726/IRJMETS90322. [4] E. Alomari, S. Manickam, B. Gupta, S. Karuppayah, and R. Alfaris, \"Performance Evaluation of Snort on Embedded Devices,\" International Journal of Network Security, vol. 19, no. 3, pp. 421-430, 2017. [5] J. P. Anderson, \"Computer Security Threat Monitoring and Surveillance,\" Technical Report, James P. Anderson Co., 1980. [6] D. E. Denning, \"An Intrusion-Detection Model,\" IEEE Transactions on Software Engineering, vol. SE-13, no. 2, pp. 222-232, 1987. [7] M. Roesch, \"Snort: Lightweight Intrusion Detection for Networks,\" in Proceedings of the 13th USENIX Conference on System Administration (LISA \'99), 1999, pp. 229-238. [8] Open Information Security Foundation, \"Suricata IDS/IPS,\" [Online]. Available: https://suricata.io/ [9] A. Sperotto, G. Schaffrath, R. Sadre, C. Morariu, A. Pras, and B. Stiller, \"An Overview of IP Flow-Based Intrusion Detection,\" IEEE Communications Surveys & Tutorials, vol. 12, no. 3, pp. 343-356, 2010. [10] I. Özçelik, M. Brooks, and R. F. Erbacher, \"Entropy-based DDoS detection at the source switch,\" Computer Networks, vol. 134, pp. 12-23, 2018. [11] J. Li, Y. Liu, and L. Gu, \"DDoS attack detection based on neural network,\" in 2018 IEEE 4th International Symposium on Robotics and Manufacturing Automation (ROMA), 2018, pp. 1-5. [12] A. Antonopoulos, P. Sarigiannidis, and E. Louta, \"A lightweight intrusion detection system for IoT,\" in Proceedings of the 22nd Pan-Hellenic Conference on Informatics, 2018, pp. 1-6. [13] L. Galluccio, S. Milardo, G. Morabito, and S. Palazzo, \"Understanding OpenWrt: A Survey on the Linux-Based Firmware for Embedded Devices,\" IEEE Communications Surveys & Tutorials, vol. 20, no. 3, pp. 2177-2199, 2018.

Copyright

Copyright © 2026 Prof. Shital Aher, Mr. Om Prahant Raut, Mr. Karan Kishor Targe, Ms. Sakshi Anil Raut, Ms. Laxmi Punamchand Kasar. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.