DMU team publishes new research on using AI to spot damaging cyber-attacks

A team from De Montfort University Leicester (DMU) has published new research exploring how artificial intelligence can be used more effectively to identify a disruptive and damaging form of cyber-attack.

Distributed Denial-of-Service attacks, (DDoS) attacks happen when bad actors, including cybercriminals and hacktivists, overwhelm websites, networks or online services with waves of malicious traffic, making them unavailable to legitimate users.

The UK's National Cyber Security Centre (NCSC) has repeatedly warned of the growing threat posed by DDoS attacks, including campaigns by pro-Russian hacktivist groups such as "NoName05716" that have been targeting British organisations and critical infrastructure.

Now, DMU postgraduate data analytics student Adrian Kwiecien, and Waddah Saeed, a Senior Lecturer in Data Analytics at DMU, have investigated whether AI models can reliably detect such cyber-attacks quickly and efficiently enough to be used in real-world environments.

Using a major cybersecurity dataset, CICDDoS2019, their recently published research evaluated 210 different machine-learning pipelines. These combined five popular AI classifiers, three feature-selection methods, two tuning approaches and seven different training and testing splits.

Unlike many previous studies, the research looked beyond standard accuracy scores. It also measured practical factors such as training time, inference time, CPU usage and memory consumption.

Waddah Saeed explained: "The strongest overall pipeline used a Decision Tree classifier with Recursive Feature Elimination and Grid Search tuning. It achieved an excellent balance between detection performance and low computational cost, making it a promising option for environments where resources may be limited.

"Our research also found that tree-based machine-learning models generally offered the best trade-off between accuracy, speed and interpretability. This is important because cybersecurity teams need systems that are not only effective, but also understandable and manageable in practice."

However, the study also found that when the best-performing model was tested on a separate dataset, its performance dropped significantly. This suggests that AI models used for cyber-attack detection may struggle when faced with different real-world network conditions.

A data processing workflow illustrating the order of operations, from: An Evaluation of Supervised Machine Learning Pipelines for the Identification of Distributed Denial-of-Service Attacks Using Conventional and Computational Performance Metrics by Adrian Kwiecien andWaddah Saeed.

The findings underline the need for more realistic evaluation of AI-based cybersecurity tools before deployment. Rather than focusing on accuracy alone, developers and organisations should assess whether models are fast, efficient, scalable and reliable across different datasets.

The study provides practical guidance for researchers, cybersecurity professionals and organisations developing machine-learning systems to defend against DDoS attacks.

The research paper can be seen in full here: https://www.mdpi.com/2297-8747/31/2/62