Detecting and Mitigating DDoS Attacks with AI: A Survey

TL;DR

The paper addresses the growing threat of DDoS by surveying AI-driven detection and mitigation approaches across volumetric, protocol, reflection/amplification, and application-layer attacks. It introduces manual and automatic taxonomies, analyzes data formats (flows, graphs, timeseries), discusses public datasets, and explores AI-generated traffic and adversarial training to bolster robustness. It also surveys AI-generated mitigations, including rule-generation with DTs and LLMs, and outlines open research directions such as cross-dataset testing, dynamic data formats, explainable AI, and tailored anti-DDoS solutions. Collectively, the work highlights the need for holistic, robust, and explainable AI defenses that perform well in real-world, variable-bandwidth networks and across diverse datasets.

Abstract

Distributed Denial of Service attacks represent an active cybersecurity research problem. Recent research shifted from static rule-based defenses towards AI-based detection and mitigation. This comprehensive survey covers several key topics. Preeminently, state-of-the-art AI detection methods are discussed. An in-depth taxonomy based on manual expert hierarchies and an AI-generated dendrogram are provided, thus settling DDoS categorization ambiguities. An important discussion on available datasets follows, covering data format options and their role in training AI detection methods together with adversarial training and examples augmentation. Beyond detection, AI based mitigation techniques are surveyed as well. Finally, multiple open research directions are proposed.

Figures (6)

• Figure 1: Taxonomy of the four major categories of DDoS attacks described in separate diagrams. In each diagram, we depict an attacker who has control over networks of bot machines and targets a particular victim. Packets involved in the attacks bear the inscriptions of the typically used protocols, while on the victim side, we highlight in red and mark with bullseye the network resources that are the focus of the attacks: the network infrastructure such as communication hardware, the network software stack of the victim operating system, and the application software stack running user services.
• Figure 2: Hierarchical grouping of the surveyed articles according to their main innovative contribution. References are linked to the papers (click on a reference to open its DOI page of the article).
• Figure 3: A hierarchical clustering of the surveyed articles based on Ward's linkage. Each article is represented through a TF-IDF vector computed from the concatenated title and abstract of the respective article. The distance represented on the horizontal axis is computed via Eq. \ref{['eq_ward_linkage']}. The dendrogram is manually annotated to indicate meaningful groups of related papers. Best viewed in color.
• Figure 4: Three representative toy examples of the most popular data extraction/organization techniques used for DDoS applications. From raw unstructured network traffic dumps, we can extract individual packet-level data, or coalesce the data into flows, and we can organize the data into: tabular, timeseries, and graph/network structured data.
• Figure 5: Papers that reported DDoS detection time (left) and their associated accuracy score on testing data where available (right). The papers are sorted in descending order with citation indexes on the bottom axis, author names on the bar (including DOI links) and publication year at the top. The bars are color coded: blue for deep learning and green for shallow learning methods. The red line shows top reported accuracy results.