Anomaly-Based DDoS Detection Using Improved Deep Support Vector Data Description (Deep SVDD) and Multi-Model Ensemble Approach

Bahtiar Imran; Lalu Delsi Samsumar; Ahmad Subki; Wenti Ayu Wahyuni; Zumratul Muahidin; Muh Nasirudin Karim; Ahmad Yani; M. Zulpahmi

doi:10.30871/jaic.v10i1.11863

Authors

Bahtiar Imran Universitas Teknologi Mataram
Lalu Delsi Samsumar Universitas Teknologi Mataram
Ahmad Subki Universitas Teknologi Mataram
Wenti Ayu Wahyuni Universitas Teknologi Mataram
Zumratul Muahidin Universitas Teknologi Mataram
Muh Nasirudin Karim Universitas Teknologi Mataram
Ahmad Yani Universitas Teknologi Mataram
M. Zulpahmi Universitas Teknologi Mataram

DOI:

https://doi.org/10.30871/jaic.v10i1.11863

Keywords:

Deep SVDD, DDoS detection, unsupervised anomaly detection, network intrusion detection, deep learning for cybersecurity

Abstract

Distributed Denial-of-Service (DDoS) attacks remain a critical threat to network infrastructure, demanding robust and efficient detection mechanisms. This study proposes an enhanced Deep Support Vector Data Description (Deep SVDD) model for unsupervised DDoS detection using the UNSW-NB15 dataset. The approach leverages a deep encoder architecture with batch normalization and dropout to learn compact latent representations of normal traffic, minimizing the hypersphere volume enclosing benign flows. Only normal samples are used during training, adhering to the unsupervised anomaly detection paradigm. The model is evaluated against five established baselines—Isolation Forest, Local Outlier Factor (LOF), One-Class SVM, Autoencoder, and a simple ensemble—using AUC, F1-score, and recall as primary metrics. Experimental results demonstrate that Deep SVDD significantly outperforms all baselines, achieving superior class separation, high detection sensitivity, and computational efficiency (0.0004 GFLOPs). Notably, while LOF exhibited a deceptively high F1-score, its AUC near 0.5 revealed poor discriminative capability, highlighting the risk of relying on single metrics. The ensemble approach failed to improve performance, underscoring the limitation of naive score averaging when weak detectors are included. Visualization of score distributions and ROC curves further confirms Deep SVDD’s ability to effectively distinguish DDoS from benign traffic. These findings affirm that representation learning in latent space offers a more reliable foundation for anomaly detection than traditional distance-, density-, or reconstruction-based methods. The proposed model presents a promising solution for real-time, low-overhead intrusion detection systems in modern network environments. Future work will explore adaptive ensembles, self-supervised pretraining, and deployment on edge devices.

Downloads

Download data is not yet available.

References

[1] I. H. Putro, “Evaluating the Performance of Machine Learning Classifiers for Network Intrusion Detection : A Comparative Study Using the,” TEKNIKA, vol. 14, no. July, pp. 330–338, 2025, doi: 10.34148/teknika.v14i2.1276.

[2] G. Kocher and G. Kumar, “Machine learning and deep learning methods for intrusion detection systems: recent developments and challenges,” Soft Comput., vol. 25, no. 15, pp. 9731–9763, Aug. 2021, doi: 10.1007/s00500-021-05893-0.

[3] A. Alharthi, M. Alaryani, and S. Kaddoura, “A comparative study of machine learning and deep learning models in binary and multiclass classification for intrusion detection systems,” Array, vol. 26, no. April, p. 100406, 2025, doi: 10.1016/j.array.2025.100406.

[4] A. Syazweena and Z. Abdullah, “A Comparative Study between Machine Learning and Deep Learning Algorithm for Network Intrusion Detection,” J. SOFT Comput. DATA Min., vol. 2, pp. 43–51, 2022.

[5] P. Bountzis, D. Kavallieros, and T. Tsikrika, “A deep one-class classifier for network anomaly detection using autoencoders and one-class support vector machines,” Front. Comput. Sci., no. October, 2025, doi: 10.3389/fcomp.2025.1646679.

[6] T. Kenaza, K. Bennaceur, and A. Labed, “An efficient hybrid SVDD/clustering approach for anomaly-based intrusion detection,” in Proceedings of the 33rd Annual ACM Symposium on Applied Computing, in SAC ’18. New York, NY, USA: Association for Computing Machinery, 2018, pp. 435–443. doi: 10.1145/3167132.3167180.

[7] W. Huang, Y. Li, Z. Xu, X. Yao, and R. Wan, “Improved Deep Support Vector Data Description Model Using Feature Patching for Industrial Anomaly Detection.,” Sensors (Basel)., vol. 25, no. 1, Dec. 2024, doi: 10.3390/s25010067.

[8] M. Ahsan, H. Khusna, and M. H. Lee, “Support vector data description with kernel density estimation ( SVDD ‑ KDE ) control chart for network intrusion monitoring,” Sci. Rep., pp. 1–12, 2023, doi: 10.1038/s41598-023-46719-3.

[9] Z. Zhang and X. Deng, “Anomaly detection using improved deep SVDD model with data structure preservation,” Pattern Recognit. Lett., vol. 148, pp. 1–6, 2021, doi: https://doi.org/10.1016/j.patrec.2021.04.020.

[10] B. H. Ali, N. Sulaiman, S. A. R. Al-Haddad, R. Atan, S. L. M. Hassan, and M. Alghrairi, “Identification of Distributed Denial of Services Anomalies by Ratio Test Methods,” Sensors, pp. 1–17, 2021.

[11] F. Zhang, H. Fan, R. Wang, Z. Li, and T. Liang, “Deep Dual Support Vector Data description for anomaly detection on attributed networks,” Int. J. Intell. Syst., vol. 37, no. 2, pp. 1509–1528, 2022, doi: https://doi.org/10.1002/int.22683.

[12] M. Ring, S. Wunderlich, D. Scheuring, D. Landes, and A. Hotho, “A survey of network-based intrusion detection data sets,” Comput. Secur., vol. 86, pp. 147–167, 2019, doi: https://doi.org/10.1016/j.cose.2019.06.005.

[13] M. Ieee, S. M. Ieee, M. Ieee, and M. Ieee, “A Unifying Review of Deep and Shallow Anomaly Detection,” vol. 109, no. 5, 2021, doi: 10.1109/JPROC.2021.3052449.

[14] F. Pedregosa et al., “Scikit-learn: Machine Learning in Python,” J. Mach. Learn. Res., vol. 12, no. null, pp. 2825–2830, Nov. 2011.

[15] Z. Alitbi, S. Amin, H. Seno, A. G. Bafghi, and D. Zabihzadeh, “A Generalized and Real-Time Network Intrusion Detection System Through Incremental Feature Encoding and Similarity Embedding Learning,” Sensors, vol. 25, no. 16, pp. 1–24, 2025.

[16] W. Khan and M. Haroon, “An unsupervised deep learning ensemble model for anomaly detection in static attributed social networks,” Int. J. Cogn. Comput. Eng., vol. 3, no. July, pp. 153–160, 2022, doi: 10.1016/j.ijcce.2022.08.002.

[17] Z. G. Ki, W. Somda, M. B. Kébré, and S. Gandema, “Machine Learning-Based Outlier Detection in Long-Term Climate Data : Evidence from Burkina Faso ’ s Synoptic Network,” Atmos. Clim. Sci., vol. 15, no. 3, pp. 645–667, 2025, doi: 10.4236/acs.2025.153032.

[18] X. Liang, Y. Gao, and S. Xu, “ASE: Anomaly scoring based ensemble learning for highly imbalanced datasets,” Expert Syst. Appl., vol. 238, p. 122049, 2024, doi: https://doi.org/10.1016/j.eswa.2023.122049.

[19] G. Pang, C. Shen, L. Cao, and A. Van Den Hengel, “Deep Learning for Anomaly Detection: A Review,” in ACM Comput. Surv., New York, NY, USA: Association for Computing Machinery, Mar. 2021. doi: 10.1145/3439950.

[20] M. Shafi, A. H. Lashkari, and A. H. Roudsari, “Toward Generating a Large Scale Intrusion Detection Dataset and Intruders Behavioral Profiling Using Network and Transportation Layers Traffic Flow Analyzer (NTLFlowLyzer),” J. Netw. Syst. Manag., vol. 33, no. 2, Mar. 2025, doi: 10.1007/s10922-025-09917-0.

[21] Y. Tian, J. Li, Q. Song, Z. Li, and X. Huang, “Pyramid reconstruction assisted deep autoencoding Gaussian mixture model for industrial fault detection,” Inf. Sci. (Ny)., vol. 649, p. 119682, 2023, doi: https://doi.org/10.1016/j.ins.2023.119682.

[22] A. Duraj, N. Łukasik, and P. S. Szczepaniak, “Outlier Detection in EEG Signals Using Ensemble Classifiers,” Appl. Sci., vol. 15, no. 22, 2025, doi: 10.3390/app152212343.

Anomaly-Based DDoS Detection Using Improved Deep Support Vector Data Description (Deep SVDD) and Multi-Model Ensemble Approach

Authors

DOI:

Keywords:

Abstract

Downloads

References

Downloads

Published

How to Cite

Issue

Section

License

Most read articles by the same author(s)

Similar Articles

submit

tools

issn