Open Access

ARTICLE

Unknown DDoS Attack Detection with Sliced Iterative Normalizing Flows Technique

Chin-Shiuh Shieh¹, Thanh-Lam Nguyen¹, Thanh-Tuan Nguyen^2,*, Mong-Fong Horng^1,*

1 Department of Electronic Engineering, National Kaohsiung University of Science and Technology, Kaohsiung, 807618, Taiwan
2 Department of Electronic and Automation Engineering, Nha Trang University, Nha Trang, 650000, Vietnam

* Corresponding Authors: Thanh-Tuan Nguyen. Email: ; Mong-Fong Horng. Email:

(This article belongs to the Special Issue: Applications of Artificial Intelligence for Information Security)

Computers, Materials & Continua 2025, 82(3), 4881-4912. https://doi.org/10.32604/cmc.2025.061001

Received 14 November 2024; Accepted 01 February 2025; Issue published 06 March 2025

Abstract

DDoS attacks represent one of the most pervasive and evolving threats in cybersecurity, capable of crippling critical infrastructures and disrupting services globally. As networks continue to expand and threats become more sophisticated, there is an urgent need for Intrusion Detection Systems (IDS) capable of handling these challenges effectively. Traditional IDS models frequently have difficulties in detecting new or changing attack patterns since they heavily depend on existing characteristics. This paper presents a novel approach for detecting unknown Distributed Denial of Service (DDoS) attacks by integrating Sliced Iterative Normalizing Flows (SINF) into IDS. SINF utilizes the Sliced Wasserstein distance to repeatedly modify probability distributions, enabling better management of high-dimensional data when there are only a few samples available. The unique architecture of SINF ensures efficient density estimation and robust sample generation, enabling IDS to adapt dynamically to emerging threats without relying heavily on predefined signatures or extensive retraining. By incorporating Open-Set Recognition (OSR) techniques, this method improves the system’s ability to detect both known and unknown attacks while maintaining high detection performance. The experimental evaluation on CICIDS2017 and CICDDoS2019 datasets demonstrates that the proposed system achieves an accuracy of 99.85% for known attacks and an F1 score of 99.99% after incremental learning for unknown attacks. The results clearly demonstrate the system’s strong generalization capability across unseen attacks while maintaining the computational efficiency required for real-world deployment.

---

Keywords

---