Understanding Statistical and Temporal Representations for Large-Scale IoT DDoS Detection Through Ablation-Driven Analysis
DOI:
https://doi.org/10.62411/jcta.16126Keywords:
Cybersecurity, Deep Learning for Cybersecurity, DDoS Detection, Explainable Machine Learning, Intrusion Detection Systems, IoT Security, Network Traffic Analysis, Representation AnalysisAbstract
Recent Internet of Things (IoT) intrusion detection studies have reported near-perfect benchmark performance for Distributed Denial of Service (DDoS) detection, yet limited attention has been given to understanding how different traffic representations contribute to the detection process under highly imbalanced traffic conditions. This study presents an ablation-driven analysis to investigate the contribution of statistical and temporal representations for large-scale IoT DDoS detection using the CICIoT2023 dataset. Three experimental scenarios are evaluated, including statistical representation, temporal sequence representation, and hybrid statistical–temporal representation. Temporal representations are learned using a one-dimensional Convolutional Neural Network (1D-CNN) with lag-based traffic sequences, while ensemble tree-based classifiers are employed for final classification and representation analysis. In addition, multiple ablation configurations are designed to evaluate the impact of temporal dependency modeling and feature engineering strategies on detection performance. Experimental results show that statistical traffic representations remain highly effective for DDoS detection on CICIoT2023, achieving 99.36% accuracy and 99.31% weighted F1-score in the statistical representation scenario. Feature importance analysis further indicates that engineered statistical features contribute substantially more to the classification process than CNN-based temporal representations. Although temporal modeling captures sequential traffic behavior, its contribution is relatively limited and mainly acts as a complementary representation. Furthermore, the hybrid configuration produces only marginal improvements over the statistical representation alone. These findings highlight the importance of representation-level analysis for understanding the actual contribution of statistical and temporal modeling in modern IoT intrusion detection systems beyond relying solely on benchmark accuracy.References
A. Ahmim, F. Maazouzi, M. Ahmim, S. Namane, and I. Ben Dhaou, “Distributed Denial of Service Attack Detection for the Internet of Things Using Hybrid Deep Learning Model,” IEEE Access, vol. 11, pp. 119862–119875, Aug. 2023, doi: 10.1109/ACCESS.2023.3327620.
S. A. Wahab, S. Sultana, N. Tariq, M. Mujahid, J. A. Khan, and A. Mylonas, “A Multi-Class Intrusion Detection System for DDoS Attacks in IoT Networks Using Deep Learning and Transformers,” Sensors, vol. 25, no. 15, p. 4845, Aug. 2025, doi: 10.3390/s25154845.
S. Zubair, H. Abdulazeez, B. A. Salihu, M. Umar, and P. I. Ojo-Arome, “An Edge-Enabled Multimodal Cyber-Physical System for Near-Real-Time Intrusion Detection in Fiber-Optic Networks,” J. Futur. Artif. Intell. Technol., vol. 3, no. 1, pp. 84–98, May 2026, doi: 10.62411/faith.3048-3719-363.
S. H. Rafique, A. Abdallah, N. S. Musa, and T. Murugan, “Machine Learning and Deep Learning Techniques for Internet of Things Network Anomaly Detection—Current Research Trends,” Sensors, vol. 24, no. 6, p. 1968, Mar. 2024, doi: 10.3390/s24061968.
M. Alharby, “Evaluating machine learning approaches for multiple attack classification with improved computational efficiency in IoT networks,” Sci. Rep., vol. 15, no. 1, p. 39914, Nov. 2025, doi: 10.1038/s41598-025-23711-7.
E. Altulaihan, M. A. Almaiah, and A. Aljughaiman, “Anomaly Detection IDS for Detecting DoS Attacks in IoT Networks Based on Machine Learning Algorithms,” Sensors, vol. 24, no. 2, p. 713, Jan. 2024, doi: 10.3390/s24020713.
Z. S. Dhahir, “A Hybrid Approach for Efficient DDoS Detection in Network Traffic Using CBLOF-Based Feature Engineering and XGBoost,” J. Futur. Artif. Intell. Technol., vol. 1, no. 2, pp. 174–190, Sep. 2024, doi: 10.62411/faith.2024-33.
W. Sarasjati, S. Rustad, Purwanto, H. A. Santoso, and D. R. I. M. Setiadi, “Phishing Detection Using Random Forest-Based Weighted Bootstrap Sampling and LASSO+ Feature Selection,” Int. J. Saf. Secur. Eng., vol. 14, no. 6, pp. 1783–1794, Dec. 2024, doi: 10.18280/ijsse.140613.
O. D. Okey, D. Z. Rodriguez, and J. H. Kleinschmidt, “Enhancing IoT Intrusion Detection with Federated Learning-Based CNN-GRU and LSTM-GRU Ensembles,” in 2024 19th International Symposium on Wireless Communication Systems (ISWCS), Jul. 2024, pp. 1–6. doi: 10.1109/ISWCS61526.2024.10639159.
C. Zhang, J. Li, N. Wang, and D. Zhang, “Research on Intrusion Detection Method Based on Transformer and CNN-BiLSTM in Internet of Things,” Sensors, vol. 25, no. 9, p. 2725, Apr. 2025, doi: 10.3390/s25092725.
F. Kabura and T. Nsabimana, “An Attention-Enhanced CNN–RBF Framework for Network Intrusion Detection in Imbalanced Traffic,” J. Comput. Theor. Appl., vol. 3, no. 3, pp. 349–368, Jan. 2026, doi: 10.62411/jcta.15419.
D. R. I. M. Setiadi, S. Widiono, A. N. Safriandono, and S. Budi, “Phishing Website Detection Using Bidirectional Gated Recurrent Unit Model and Feature Selection,” J. Futur. Artif. Intell. Technol., vol. 1, no. 2, pp. 75–83, Jul. 2024, doi: 10.62411/faith.2024-15.
M. Sajid et al., “Enhancing intrusion detection: a hybrid machine and deep learning approach,” J. Cloud Comput., vol. 13, no. 1, p. 123, Jul. 2024, doi: 10.1186/s13677-024-00685-x.
S. Neupane et al., “Explainable Intrusion Detection Systems (X-IDS): A Survey of Current Methods, Challenges, and Opportunities,” IEEE Access, vol. 10, pp. 112392–112415, 2022, doi: 10.1109/ACCESS.2022.3216617.
R. A. Disha and S. Waheed, “Performance analysis of machine learning models for intrusion detection system using Gini Impurity-based Weighted Random Forest (GIWRF) feature selection technique,” Cybersecurity, vol. 5, no. 1, p. 1, Dec. 2022, doi: 10.1186/s42400-021-00103-8.
Z. Wang, H. Huang, R. Du, X. Li, and G. Yuan, “IoT Intrusion Detection Model based on CNN-GRU,” Front. Comput. Intell. Syst., vol. 4, no. 2, pp. 90–95, Jun. 2023, doi: 10.54097/fcis.v4i2.10302.
P. Sinha, D. Sahu, S. Prakash, T. Yang, R. S. Rathore, and V. K. Pandey, “A high performance hybrid LSTM CNN secure architecture for IoT environments using deep learning,” Sci. Rep., vol. 15, no. 1, p. 9684, Mar. 2025, doi: 10.1038/s41598-025-94500-5.
V. Shanmugam, R. Razavi-Far, and E. Hallaji, “Addressing Class Imbalance in Intrusion Detection: A Comprehensive Evaluation of Machine Learning Approaches,” Electronics, vol. 14, no. 1, p. 69, Dec. 2024, doi: 10.3390/electronics14010069.
S. Farhadpour, T. A. Warner, and A. E. Maxwell, “Selecting and Interpreting Multiclass Loss and Accuracy Assessment Metrics for Classifications with Class Imbalance: Guidance and Best Practices,” Remote Sens., vol. 16, no. 3, p. 533, Jan. 2024, doi: 10.3390/rs16030533.
J. Mirkovic and P. Reiher, “A taxonomy of DDoS attack and DDoS defense mechanisms,” ACM SIGCOMM Comput. Commun. Rev., vol. 34, no. 2, pp. 39–53, Apr. 2004, doi: 10.1145/997150.997156.
A. Hussain, J. Heidemann, and C. Papadopoulos, “A framework for classifying denial of service attacks,” in Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, Aug. 2003, pp. 99–110. doi: 10.1145/863955.863968.
S. T. Zargar, J. Joshi, and D. Tipper, “A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks,” IEEE Commun. Surv. Tutorials, vol. 15, no. 4, pp. 2046–2069, 2013, doi: 10.1109/SURV.2013.031413.00127.
A. Çetin and S. Öztürk, “Comprehensive Exploration of Ensemble Machine Learning Techniques for IoT Cybersecurity Across Multi-Class and Binary Classification Tasks,” J. Futur. Artif. Intell. Technol., vol. 1, no. 4, pp. 371–384, Feb. 2025, doi: 10.62411/faith.3048-3719-51.
J. P. Ntayagabiri, Y. Bentaleb, J. Ndikumagenge, and H. El Makhtoum, “OMIC: A Bagging-Based Ensemble Learning Framework for Large-Scale IoT Intrusion Detection,” J. Futur. Artif. Intell. Technol., vol. 1, no. 4, pp. 401–416, Feb. 2025, doi: 10.62411/faith.3048-3719-63.
J. P. Ntayagabiri, Y. Bentaleb, J. Ndikumagenge, and H. El Makhtoum, “A Comparative Analysis of Supervised Machine Learning Algorithms for IoT Attack Detection and Classification,” J. Comput. Theor. Appl., vol. 2, no. 3, pp. 395–409, Feb. 2025, doi: 10.62411/jcta.11901.
T. Chen and C. Guestrin, “XGBoost: A Scalable Tree Boosting System,” in Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Aug. 2016, pp. 785–794. doi: 10.1145/2939672.2939785.
Piyush M. Prajapati, Dr. Priyesh P. Gandhi, and Dr. Sheshang Degadwala, “Deep Learning-Based Classification of IoT DDoS Attacks Using CNN-LSTM,” Int. J. Sci. Res. Sci. Technol., vol. 12, no. 5, pp. 389–397, Oct. 2025, doi: 10.32628/IJSRST25125248.
N. U. Ain, M. Sardaraz, M. Tahir, M. W. Abo Elsoud, and A. Alourani, “Securing IoT Networks Against DDoS Attacks: A Hybrid Deep Learning Approach,” Sensors, vol. 25, no. 5, p. 1346, Feb. 2025, doi: 10.3390/s25051346.
S. Abbas et al., “Evaluating deep learning variants for cyber-attacks detection and multi-class classification in IoT networks,” PeerJ Comput. Sci., vol. 10, p. e1793, Jan. 2024, doi: 10.7717/peerj-cs.1793.
R. Jablaoui, O. Cheikhrouhou, M. Hamdi, and N. Liouane, “Deep learning enabled intrusion detection system for IoT security,” EURASIP J. Wirel. Commun. Netw., vol. 2025, no. 1, p. 66, Aug. 2025, doi: 10.1186/s13638-025-02477-6.
O. A. Hussain, Z. Chen, and H. Zhu, “sSecure Net: A Hybrid CNN-LSTM-based Intrusion Detection System for Securing IoT Networks,” in Proceedings of the 4th International Conference on Computer, Artificial Intelligence and Control Engineering, Jan. 2025, pp. 537–544. doi: 10.1145/3727648.3727736.
C. Asuai et al., “Enhancing DDoS Detection via 3ConFA Feature Fusion and 1D Convolutional Neural Networks,” J. Futur. Artif. Intell. Technol., vol. 2, no. 1, pp. 145–162, Jun. 2025, doi: 10.62411/faith.3048-3719-105.
D. M. A. A. Afraji, J. Lloret, and L. Peñalver, “An Integrated Hybrid Deep Learning Framework for Intrusion Detection in IoT and IIoT Networks Using CNN-LSTM-GRU Architecture,” Computation, vol. 13, no. 9, p. 222, Sep. 2025, doi: 10.3390/computation13090222.
E. C. P. Neto, S. Dadkhah, R. Ferreira, A. Zohourian, R. Lu, and A. A. Ghorbani, “CICIoT2023: A Real-Time Dataset and Benchmark for Large-Scale Attacks in IoT Environment,” Sensors, vol. 23, no. 13, p. 5941, Jun. 2023, doi: 10.3390/s23135941.
M. Luay et al., “Time Matters: Temporal NetFlow Features for ML-Based Network Intrusion Detection,” IEEE Access, vol. 14, pp. 66899–66913, 2026, doi: 10.1109/ACCESS.2026.3688204.
Z. Liu, Y. Wang, F. Feng, Y. Liu, Z. Li, and Y. Shan, “A DDoS Detection Method Based on Feature Engineering and Machine Learning in Software-Defined Networks,” Sensors, vol. 23, no. 13, p. 6176, Jul. 2023, doi: 10.3390/s23136176.
W. Dai, X. Li, W. Ji, and S. He, “Network Intrusion Detection Method Based on CNN-BiLSTM-Attention Model,” IEEE Access, vol. 12, pp. 53099–53111, 2024, doi: 10.1109/ACCESS.2024.3384528.
J. Zhao, Y. Liu, Q. Zhang, and X. Zheng, “CNN-AttBiLSTM Mechanism: A DDoS Attack Detection Method Based on Attention Mechanism and CNN-BiLSTM,” IEEE Access, vol. 11, pp. 136308–136317, 2023, doi: 10.1109/ACCESS.2023.3334916.
A. M. Alashjaee, “Deep learning for network security: an Attention-CNN-LSTM model for accurate intrusion detection,” Sci. Rep., vol. 15, no. 1, p. 21856, Jul. 2025, doi: 10.1038/s41598-025-07706-y.
O. D. Okey et al., “Correction: Okey et al. BoostedEnML: Efficient Technique for Detecting Cyberattacks in IoT Systems Using Boosted Ensemble Machine Learning. Sensors 2022, 22, 7409,” Sensors, vol. 25, no. 19, p. 6125, Oct. 2025, doi: 10.3390/s25196125.
A. I. Sourav, M. S. Islam, U. S. Nahar, M. I. Nayon, and M. T. Ahmed, “Hybrid Framework with Feature Selection and Explainable AI for IoT Intrusion Detection,” in 2025 IEEE 4th International Conference on Robotics, Automation, Artificial-Intelligence and Internet-of-Things (RAAICON), Nov. 2025, pp. 571–575. doi: 10.1109/RAAICON69033.2025.11502208.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Daniel Nomolas Wicaksono, De Rosal Ignatius Moses Setiadi, Ajib Susanto, Imanuel Harkespan, Mohamad Afendee Mohamed, Aceng Sambas
This work is licensed under a Creative Commons Attribution 4.0 International License.
