Abstract
This article develops a hybrid neural network method for detecting UDP flooding in critical infrastructure microgrid protection systems. This method combines sequential statistics (CUSUM) and a multimodal convolutional 1D-CNN architecture with a composite scoring criterion. Input features are generated using packet-aggregated one-minute vectors with metrics for packet count, average size, source entropy, and HHI concentration index, as well as compact sketches of top sources. To ensure forensically relevant incident recording, a greedy artefact selection policy based on the knapsack problem with a limited forensic buffer is implemented. The developed method is theoretically justified using a likelihood ratio criterion and adaptive threshold tuning, which ensures control over the false alarm probability. Experimental validation on traffic datasets demonstrated high efficiency, with an overall accuracy of 98.7%, a sensitivity of 97.4%, an average model inference time of 5.3 ms (2.5 times faster than its LSTM counterpart), a controlled FPR of 0.96%, and a reduction in asymptotic detection latency with an increase in intensity from 35 to 12 s. Moreover, with a storage budget of 10 MB, 28 priority bins were selected (their total size was 7.39 MB), ensuring the approximate preservation of 85% of the most informative packets for subsequent examination. This research contribution involves the creation of a ready-to-deploy, resource-efficient detector with low latency, explainable statistical layers, and a built-in mechanism for generating a standardized evidence package to facilitate rapid law enforcement response.