Cyber Approach for DDoS Attack Detection Using Hybrid CNN-LSTM Model in IoT-Based Healthcare

Abstract

Healthcare has been fundamentally changed by the expansion of IoT, which enables advanced diagnostics and continuous monitoring of patients outside clinical settings. Frequently interconnected medical devices often encounter resource limitations and lack comprehensive security safeguards. Therefore, such devices are prone to intrusions, with DDoS attacks in particular threatening the integrity of vital infrastructure. To safe guard sensitive patient information and ensure the integrity and confidentiality of medical devices, this article explores the critical importance of robust security measures in healthcare IoT systems. In order to detect DDoS attacks in healthcare networks supported by WBSN-enabled IoT devices, we propose a hybrid detection model. The model utilizes the advantages of Long Short-Term Memory (LSTM) networks for modeling temporal dependencies in network traffic and Convolutional Neural Networks (CNNs) for extracting spatial features. The effectiveness of the model is demonstrated by simulation results on the CICDDoS2019 datasets, which indicate a detection accuracy of 99% and a loss of 0.05%, respectively. The evaluation results highlight the capability of the hybrid model to reliably detect potential anomalies, showing superior performance over leading contemporary methods in healthcare environments.

1. Introduction

Health care aims to cultivate and sustain individual customer relationships to improve their health in the long run [1]. To enhance health results and achieve cost-effective, more environmentally sustainable health care, the sector incorporates technologies such as big data, artificial intelligence, and IoT. Health care service Personal Services considers the wellbeing of all the clients and caregivers while attempting to attain the best possible equilibrium of service diversification, cost and benefit tradeoffs, and other parameters [2].

The Internet of Things offers the promise of more complete integration of various networks and systems, as well as the various sensors and other medical equipment in the health care sector [3]. Still, with such integration, the interconnectness vulnerabilities grow, thus there are risks involved. Cyber risks come from anyone with incentive to and the capability of compromising and attacking systems, be they individual, corporate, or governmental. Those looking to exploit weak, untested systems, compromised devices, and default credentials face less resistance, yet the risks are as big as they get. Data exfiltration and theft of trade secrets or, classified information, private data, or disruption of business activities are the objectives.

Recent developments with the internet have allowed Wireless Body Sensor Networks (WBSNs) to integrate with modern healthcare systems [4]. These systems include wearing sensing devices that track bodily signals and send them to a central base station which can be located at a public or medical site. They allow the remote discovery and early diagnosing of medical anomalies which can be critical for patient well-being. There are challenges that accompany the integration of WBSNs into IoT-enabled healthcare systems to with security, accessibility, and overall system functionality, but the benefits far outweigh the challenges.

The impact of new technologies, especially Artificial Intelligence, continue to shape and deepen the control of the system where the use of deep learning (DL) methodologies allow for the automation of task completion, understanding of user and device actions, and a better interpretative of the data [5].

With the importance of health care software, having strong IoT security is a must have. Researchers have examined various methods of deep learning aimed at solving WBSN-enabled IoT infrastructure of DDoS attacks. Deep learning models enhance the monitoring, manipulating, and defending of these networks. For example, attempts at DDoS attacks have been detected via the use of network traffic and mitigation of DDoS attacks using thresholds, behavioral traffic indicators, and control. However, these thresholds driven methods have frequently been unsatisfactory with more complex and dynamic traffic. Other more advanced architectures of deep learning have proven to be more effective with the use of convolutional neural networks for the detection of patterns and anomalies in network data [6,7].

This research explores efficient and accelerated DDoS detection techniques in WBSNs, which is the main contribution to DDoS research. The suggested model combines the predictive power of CNN for pattern recognition in data and LSTMs for temporal analysis. The algorithm can differentiate the relevant features and capture the DDoS attacks’ intricate temporal and spatial dependencies in raw healthcare traffic data. Unlike traditional techniques, the proposed hybrid LSTM-CNN approach offers greater resilience to the DDoS attacks’ evolving patterns. The following points summarize this research’s main contributions:

• We have implemented a hybrid deep learning model to identify and classify DDoS and IoT attacks in an IoT-based healthcare environment. The hybrid model makes DDoS attack detection accurate and efficient by combining the strengths of CNN and LSTM in terms of spatial and temporal features.
• The proposed CNN-LSTM-based hybrid system automatically learns characteristics from raw healthcare network traffic, adapts in real time, and effectively identifies attack paths to minimize disruptions to network operations and reduce false alarms.
• The IoT healthcare security and CICDDoS2019 datasets are used. Our model is assessed by contrasting its performance with that of CNN, LSTM, and the proposed deep learning techniques.

The remainder of this paper is structured as follows. Section 2 provides a review of relevant literature. Section 3 introduces the proposed approach. In Section 4, the experimental setup and methodology are described, including details of its multiple phases. Section 5 presents the results and corresponding discussion. Finally, Section 6 concludes the paper.

2. Related Works

Significant research efforts have focused on intrusion detection within IoT networks. Machine learning, deep learning, and hybrid datasets are the most common types used by academics to detect and prevent assaults. New and innovative studies on DDoS attack detection in healthcare systems that use IoT are detailed here.

2.1. Machine Learning Methods

To address the increasing vulnerability of IoT networks, the study in [8] proposes a machine learning framework designed for DDoS attack detection. The framework is composed of three main components: a data preprocessing module, a dynamic feature selection module to optimize relevant attributes and reduce training duration, and a classification module for attack identification. The authors evaluated the framework using five classifiers: Decision Tree (DT), Gaussian Naive Bayes (GNB), Logistic Regression (LR), k-Nearest Neighbors (KNN), and Random Forest (RF) on the CIC-IDS-2018 dataset.

An alternative strategy employs a hybrid methodology to detect DDoS attacks within IoT networks [9]. This method integrates feature selection techniques, including Random Forest ANOVA, Extra Trees, and Chi-square, alongside a suite of machine learning classifiers such as XGBoost, k-Nearest Neighbors (KNN), Decision Trees (DT), and Random Forests (RF). The proposed system is trained and evaluated on the CICDDoS2019 dataset within a cloud-based environment.

The authors of [10] proposed a system for detecting DoS attacks at the application layer of the MQTT communication protocol. The system proposed in the work is a hybrid security system combining IDS for anomaly detection and various supervised machine learning methods (KNN, DT, RF, and SVM). The emphasis of the evaluation was to demonstrate that the system can successfully detect attacks using parameters such field length and size to minimize false positives. The results show that even with limited resources, attackers can effectively flood MQTT brokers. The proposed system also demonstrates good detection accuracy.

IoT systems run the risk of being compromised. One such example is potential DoS attacks which benefit competitors from blocking services of the IoT network to its legitimate customers. Sufficient defense mechanisms to minimize the impact of counter attacks on IoT networks for systems, devices, and information must be developed and implemented. The focus of the study [11] is to design a hybrid defense mechanism incorporating machine learning, anomaly abuse and intrusion detection system (IDS) to stop hackers from successfully executing DoS attacks on devices in IoT networks. Several popular supervised machine learning methods were implemented within the IDS to reach the targeted results. The most recent IoTID20 dataset was employed to be trained on the devised model aimed at detecting anomalous behavior in IoT networks. The Genetic Algorithm (GA) model was the best performer in training the DT and RF classifiers. The most commendable metric that validated the superiority of DT was its low training and testing time.

As the number of networked devices increases, it creates a number of security flaws, including identity theft, unauthorized access to medical records, and circumstances that could be fatal. Furthermore, it is getting harder to secure every device access point in real time. A proposed study [12] looked into the possibilities of supervised machine learning techniques in detecting abnormal activity using the CCIoT2023 dataset. The recently released dataset consists of 46 attributes that indicate 33 distinct categories of IoT threats with different numbers of instances of data. The study investigated using the SMOTE method to distribute data in a balanced manner in order to improve machine learning models. Classification models were examined for three “IoT Attack” strategies: two-class, eight-class, and thirty-four-class. The model’s performance was marginally enhanced by removing highly correlated characteristics with an estimated accuracy of 99.55% using Random Forest, but real-time detection was made possible and computational response time was decreased.

2.2. Deep Learning Methods

In [13], the authors propose a model for detecting DDoS attacks in IoT devices. Their approach introduces a detection system that employs Long Short-Term Memory (LSTM) networks and deep neural networks (DNN) on an augmented version of the CICDDoS2019 dataset, which incorporates an updated taxonomy of DDoS attack types.

Yan et al. [14] investigated the use of transfer learning combined with convolutional neural networks (CNNs) for anomaly based intrusion detection. Their results demonstrated that these techniques achieve strong performance for both binary and multi-class IoT intrusion detection tasks.

A federated transfer learning technique for intrusion and attack detection in mobile computing settings was presented by the authors of another study [15]. CNN and transfer learning worked together to improve performance and save computational costs. There are still issues in detecting online attacks and dealing with the dynamic nature of IoT setups.

To address DDoS attacks in Software-Defined Networks (SDN), ElSayed et al. [16] introduced DDoSNet, a deep learning framework designed for intrusion detection. The framework employs autoencoders and recurrent neural networks to independently process the data and control planes. Using the CICDDoS2019 dataset, which contains a variety of DDoS attack patterns, the authors demonstrated that deep learning techniques outperform traditional methods in enhancing detection performance within SDN environments.

Almaraz et al. [17] focused on DoS and DDoS attacks within IoT environments. Using the Bot-IoT dataset, they addressed issues related to class imbalance and proposed a hybrid approach combining deep learning and traditional machine learning techniques. Their experiments, conducted on various feature subsets for both binary and multi-class classification, indicated that Decision Trees and Multilayer Perceptrons were the most effective models for detecting these attacks.

2.3. Hybrid Methods

Aswad et al. [18] constructed a hybrid deep learning model which combines CNN, LSTM, and RNN components into a single architecture, specifically a CNN-BiLSTM, for DDoS detection. This model was then trained and validated on the CICIDS2017 dataset.

Hossain et al. [19] also investigated the application of LSTM networks for detection of intrusions and the impact of hyperparameter tuning on detection performance, such as on the selection of optimizers, learning rates, loss functions, and different activation functions on the same dataset.

Nguyen et al. [20] proposed a hybrid detection technique to address the inability of supervised models to detect unseen DoS/DDoS attacks in IoT systems. Their method combines a Local Outlier Factor mechanism with a soft-ordering CNN and nearest-neighbor ensemble methods for anomaly isolation. This model achieved better performance on several datasets.

Hizal et al. [21] created a deep learning-based intrusion detection framework, specifically for the accurate identification of DDoS attacks in IoT networks. Using the CICIoT-2023 dataset, the evaluation focused on different network architectures, specifically DNN, CNN, and LSTM. To enhance the quality of the dataset and address class imbalance, several preprocessing techniques were implemented, including normalization, removal of duplicates, feature extraction, and controlled sampling.

Abbas et al. [22] examined the efficiency of models on the detection of cyberattacks in the IoT surrounding using the CICIoT2023 dataset with a focus on DNN, CNN, and RNN models.

Other researchers, Ain et al. [23] implemented a model which is a combination of CNN, LSTM, and autoencoder layers configured to classify and also detect DDoS attacks. They achieved 96.78% and 98.12% percent accuracy on the IoT Healthcare Security and CICDDoS2019 datasets demonstrating the model’s capability of capturing the different patterns of traffic in IoT. Still, they mentioned the challenges associated with training times and class balancing.

Ullah et al. [24] also describe an explainable hybrid detection model specifically for the IoT Healthcare SDN Security in Industry 5.0 proposed by Ullah et al. LSTMs were used for the temporal processing while CNNs were configured to perform spatial feature extraction. Their model also achieved an impressive detection accuracy of 99.59% and 98.12% on the CICDDoS2019 and IoT Healthcare Security datasets. To explain the model’s decisions, the authors used SHAP values to highlight the most important features for the attack detection.

Current ways to find and stop DDoS attacks use traditional methods like statistical analysis. These traditional methods are capable of identifying certain kinds of attacks, but they struggle to appropriately depict the complexity and bidirectional nature of network traffic, particularly when it comes to advanced, dynamic attacks. To improve DDoS detection accuracy, it is imperative to focus on the segregation of both high-level and low-level data and their integration into hybrid models.

3. Proposed Approach

In the upcoming section, we describe the design and components of the proposed intrusion detection system. The core aim of an IDS is the ability to identify and distinguish different classes of DDoS security threats specific to medical IoT networks [25]. In the pursuit of accomplishing this aim, the architecture needs to integrate a plurality of cooperating units and adaptive mechanisms to enhance accuracy in intrusion detection. The subsequent sections will elaborate further on the suggested IDS strategy which incorporates a hybrid design integrating multiple features, placement strategies, and detection mechanisms.

3.1. Architectural Design

In this section, the emphasis is on the layout of the model in question and its constituents so as to build resilient and flexible network security architecture that is capable of mitigating prospective assaults. According to Figure 1, a number of fundamental device types are incorporated in the proposed architecture, which are wearable devices, data collection, data preprocessing, deep learning model, and decision layer. Each layer improves the functionality and security of the system in one more ways.

Within the network of a hospital, medical devices operate on the outermost layer as specialized devices. Medical devices made of IoT sensors and actuators are important for the function of wearable sensors used to monitor the location, activity, and health of patients. In the hospital environment, edge devices are deployed to obtain crucial real-time information for the monitoring and treatment of patients. However, these devices require efficient communication with upper layers due to their limited processing and storage capabilities [26]. Wireless edge devices post-detection has greater processing capabilities and can perform advanced data processing, including anomaly detection. This feature is essential for the quick implementation of suitable defenses against potential threats like DDoS.

The topmost level of the architecture of IDS contains the decision layer, a significant component of the IDS design. The purpose of the IDS is to focus on primary intrusions detection and defense. It obtains the insights, alerts, and notifications from the deep learning model. It offers advanced network supervision and, as a focal point for all security policies, updates, and changes, enables continuous improvement of defense automation. All IoT devices, regardless of their location on the network, receive the latest updated information on user behavior as a result of the cloud layer’s real-time behavioral updates. The system’s integrity and security is paramount, especially when there is a threat of disruption, such as a DDoS attack.

3.2. Hybrid Model Design

When it comes to the Internet of Things (IoT), the combination of LSTMs with other deep learning architectures, especially CNNs, is a big deal when it comes to IoT intrusion detection systems. This is because it helps find crucial data patterns and features, which is a big step forward for the privacy and security of Internet of Things systems [27]. In the proposed CNN-LSTM structure, each component is appropriately positioned based on its specific properties, as depicted in Figure 2. When it comes to getting features out. CNN can look at huge amounts of traffic data to find important patterns, which makes it useful in big, complicated network settings.

There are three main layers in a CNN: the convolution layer, the pooling layer, and the fully linked layer. The pooling layer takes samples of the features that have been recovered, whereas the convolution layer concentrates on getting features from the input data. The fully connected layer puts together the features that were found and uses a classifier to make sure they are correctly classified. LSTM is a more advanced version of the regular RNN approach, though.

This product’s unique advantage is that it can gather and understand long-range dependencies and contextual information. This is especially important when you think about how IoT networks are always changing and moving. This makes it easy for LSTM to work with long-term sequence data and makes intrusion detection more accurate. In the course of the hybrid training phase, the CNN and LSTM modules undergo training in isolation. The purpose for this phase is to reduce loss, with cross-entropy loss being the desired strategy. Each model treats the incoming data in their distinct, different ways. For instance, while the LSTM module processes temporal inputs, the CNN module performs convolution on a batch of network traffic data instances that are sampled discretely. To provision the LSTM block, input instances that share the same timestamp are batch-assembled. These models look at a given number of data points. For example, the LSTM module finds connections between the same events, while the CNN module is based on space. We combine the predictions after the models have been trained to improve DDoS attack detection.

3.3. Hybrid Model Overview

For further clarification, the suggested hybrid CNN–LSTM architecture is displayed in Figure 3 below. It integrates convolutional neural networks (CNNs) and long short-term memory networks (LSTMs) to leverage both spatial and temporal feature learning. The model component consists of multiple convolutional layers described as below:

• ▪ Input Layer:

The model accepts preprocessed input data, which can be either raw time-series signals, tabular features, or traffic flow matrices. The input is typically reshaped into a format suitable for 2D convolution (for CNN) or sequential processing (for LSTM).

• ▪ Convolutional Layers (CNN Module):

The CNN module comprises one or more 1D or 2D convolutional layers, each followed by batch normalization and a nonlinear activation function (commonly ReLU). These layers automatically extract high-level spatial or local patterns from the input data. Max-pooling layers are optionally included to reduce dimensionality and emphasize the most salient features.

• ▪ Flattening/Feature Transformation:

The output of the final convolutional layer is flattened or reshaped into a sequence suitable for temporal modeling. This transformation bridges the spatial features extracted by the CNN to the sequential input required by the LSTM layers.

• ▪ LSTM Layers:

The LSTM module consists of one or more LSTM layers that model temporal dependencies and sequential correlations in the features extracted by the CNN. The LSTM’s inherent gating mechanism captures long-term dependencies while mitigating vanishing gradient issues, which is crucial for time-dependent data.

• ▪ Fully Connected Layer(s):

The output from the LSTM layers is passed to one or more fully connected (dense) layers, optionally with dropout for regularization. These layers integrate the learned spatial-temporal representations and prepare them for classification or regression tasks.

• ▪ Output Layer:

For classification tasks, a softmax or sigmoid activation is used depending on whether the problem is multi-class or binary. For regression tasks, a linear activation is applied.

• ▪ Training and Optimization:

The network is trained using supervised learning with a suitable loss function (e.g., cross-entropy for classification, mean squared error for regression). Optimization is typically performed using Adam or RMSprop, with early stopping to prevent overfitting.

4. The Experimental Setup and Methodology

This section details the experimental design and evaluation approach used to test the proposed hybrid CNN–LSTM model with real-world data from the CICDDoS2019 dataset. To counter the class imbalances, balanced random sampling was used to ensure equal representation of the DDoS attacks in DNS, UDP, UDP-Lag, NTP, SYN, and benign traffic. To ensure dataset consistency, the prep steps included dataset normalization, duplicate removal, and the correction of missing data. To ensure valid results, we utilized the TensorFlow and Keras libraries to perform the experiments in Python. The various metrics of the model performance for different types of attacks are discussed and evaluated using metrics such as accuracy, precision, recall, and F1-score. To guarantee an accurate assessment, we used a laptop with the hardware configuration as follows: CPU: Intel Core i7-12700K (12 cores), GPU: NVIDIA RTX 3080 (10 GB VRAM), memory: 32 GB DDR4 RAM and storage: SSD NVMe 1 TB. As for the software tools, we used a deep learning framework TensorFlow 2.9/Keras with their supporting libraries: to carry out the research in Python 3.9.

4.1. Data Acquisition

The system may be trained to identify DDoS attacks using a variety of datasets. Network traffic in real time must be included in the dataset. The dataset needs to be broad and flexible. The collection should also include the latest DoS attacks and include a range of attack vectors.

The CIC-DDoS2019 dataset was selected based on several criteria that align with the objectives of our study:

• Comprehensiveness and diversity of attack types: it contains 12 major families of volumetric and application-layer DDoS attacks (e.g., SYN, UDP, MSSQL, LDAP, NetBIOS, SSDP, PortMap, etc.). This diversity provides a robust foundation for training and evaluating deep learning models intended for heterogeneous IoT environments where various attack vectors may occur.
• Relevance to IoT-driven ecosystems: Although the dataset is not recorded in a healthcare-specific infrastructure, its traffic patterns, attack vectors, and device behaviors match those commonly observed in IoT-based systems, including healthcare IoT. Many medical IoT devices operate over similar protocols (HTTP, DNS, UDP, MQTT-like lightweight traffic), and the volumetric/application-layer attacks represented in CIC-DDoS2019 are the same categories observed in healthcare cyber incidents.
• High-quality traffic generation and realistic network setup: the dataset was captured by the Canadian Institute for Cybersecurity using a realistic enterprise-like network topology with background benign traffic. This ensures data quality, proper labeling, and realistic traffic behavior key factors for model generalizability.
• Ethical and practical constraints: CIC-DDoS2019 therefore provides a safe, publicly accessible, and methodologically sound alternative while still capturing the essential characteristics of IoT Distributed Denial-of-Service behavior.

4.2. Data Pre-Processing

It is crucial to do exploratory analysis on the dataset and its properties in order to create an extremely accurate model. The dataset is pre-processed before being fed into the deep neural network. In order to get the dataset ready for model training, data preparation is essential. Inconsistencies, missing values, or noise in raw data could potentially impair the models’ performance. As a result, the dataset goes through a number of preparation procedures, such as encoding categorical variables and standardizing features to make sure they are on the same scale. To enable appropriate model evaluation, the data are also divided into training and testing sets. This separation makes it possible to train the model on a subset of the dataset and then test it on an unobserved subset, which aids in determining how well it can generalize. Dimensionality reduction approaches and feature engineering were used to concentrate on the most pertinent qualities for categorization in order to manage the high-dimensional nature of IoT data. Several procedures were systematically integrated into the training pipeline to reduce overfitting and enhance the generalization capability of the CNN–LSTM hybrid model: Train–validation split with stratification, normalization and feature scaling, balanced class representation, etc. The following are examples of preprocessing steps:

• ▪ Data Standardization:

Standardization is especially crucial when the features have different scales or ranges since machine learning methods, such as neural networks, are sensitive to variations in magnitudes of the features. Larger range features may dominate the learning process, resulting in slower convergence or an excessive amount of attention being paid to particular characteristics by the model. In order to avoid this, every functionality is standardized. Using the Standard Scaler technique, this is accomplished.

• ▪ Data Cleaning:

The dataset was then filtered to eliminate any lines that repeated and represented class instances. Next, an analysis was performed to find any values that could be regarded as missing values, such as “NAN” (Not A Number) or “INF” (Infinite Value). The performance of the final models is immediately and naturally impacted by these parameters, which are handled very poorly by deep learning algorithms and machine learning algorithms in general. Since we have enough data, and it looks like the data chosen for this study contains several values of ‘NAN’ for the Flow Bytes column, the lines with NAN or INF values have been removed in order to preserve this feature.

The descriptive statistics that summarize the distribution and dispersion of the data set revealed that some columns are empty (their values are always 0). These characteristics do not contain any discriminatory information that would allow one to distinguish between the different attack classes, but they may also have negative effects. These columns are “Bwd PSH Flags,” “Fwd URG Flags,” “Bwd URG Flags,” “FIN Flag Count,” “PSH Flag Count,” “ECE Flag Count,” “Fwd Avg Bytes/Bulk,” “Fwd Avg Packets/Bulk,” “Bwd Avg Packets/Bulk,” “Bwd Avg Bulk,” and “Bwd Avg Bulk.”

• ▪ Categorical Data Encoding:

The data set contains a specific number of categorical-type attributes that need to be encoded. A digital column has been created from the Flow Packets/s column. The IP address and timestamp, among other categorical data, have been eliminated, though. The characteristics “Flow ID,” “Source IP,” “Destination IP,” “Timestamp,” and “Inbound” are also eliminated so that only the characteristics of the network traffic (traffic features) remain. This is because it was thought that these characteristics are related to connection information and do not represent the properties of DDoS attacks, which can be produced at any time by any machine against any victim machine.

A widely used method known as “one-hot encoding” was used to encode the Label column, which indicates the class of each instance. With a value of 1 denoting true (this instance belongs to this class) or 0 denoting false (this instance is not of this class), the encoding will transform the associated lines of categories into their column.

Every instance of a class contains information that accurately represents its class when we acquire high-quality data. Standardization should be performed before the learning process begins. Normalizing the input data has an impact on model construction by slowing down learning and accelerating model formation. Lowering the generalization error may also have a regularizing impact.

• ▪ Data Spliting:

Once the CICDDoS2019 dataset has been preprocessed and encoded, it is divided into training and testing subsets. The training subset is employed to fit the machine learning models, whereas the testing subset is reserved for evaluating the models on previously unseen data. Typically, an 80/20 split between training and testing data is applied, although other ratios can be used depending on dataset size. Stratified sampling is implemented to maintain proportional representation of both “normal” and “attack” classes across the subsets. This approach ensures that the models are trained on a balanced dataset, improving their ability to generalize and make accurate predictions on new or unseen samples.

• ▪ Features Extraction

Working with high-dimensional data brings complexities when training AI models as such data has a high risk of overfitting. The goal of this study is to simplify the dataset in a way to capture the most relevant data points to identify the most important data trends, thus making the data less complex.

The goal of this study is to transforming the raw dataset to an elaborated dataset/ representation that is suitable for classification to different deep learning models. The focus will be on extracting the relevant trends using Complex feature extraction methods in this study such as CNNs and LSTMs networks which will be described in the upcoming chapters. In order to utilize these techniques to the fullest, they will be used in a combination with other techniques to form a hybrid approach.

Dropout layers are used to avoid overfitting and enhance generalization in the fully connected layers that come after the concatenation, which are intended to further refine these characteristics. Based on these results, 20 features (as shown in Figure 4) were retained as they contributed the most to DDoS classification performance while reducing dimensionality and training complexity.

The LSTM and CNN-derived features are combined in a hybrid model to optimize the advantages of the various feature extractors discussed above. From the data, each of these models retrieves complementing properties. The hybrid model can leverage the advantages of each distinct model by concatenating the outputs. This method produces a more robust and thorough feature representation by enabling the model to understand long-range dependencies as well as local and global trends in the data.

The first step in the hybrid model involves extracting the output features from each individual component model. These features are then combined into a single, unified feature vector, which serves as the input to a fully connected neural network for classification. By merging the features in this way, the model can leverage the unique strengths of each individual component, resulting in a more robust and informative feature representation.

• ▪ Anomaly Detection

The LSTM and CNN models are combined to create a hybrid system that thoroughly examines network traffic data to identify anomalies, including possible DDoS attacks. Whether it is identifying temporal correlations, spatial patterns, or departures from typical behavior, each model adds a distinct element to feature extraction, creating a potent system that can detect anomalies with more accuracy.

An integrated model based on LSTMs and CNNs has been developed to examine statistics on network traffic and identify anomalies such as DDoS attacks. Each model focuses on such distinct analysable aspect, such as temporal correlation, or spatial patterns or changes in behavior, and adds input to an effective system for more precise anomaly detection.

These various features, after being fully interconnected and trained, have been separated and made it through a last dense layer designed to distinguish attacks from legitimate network traffic. This layer is responsible for classification, using features from the integrated set to differentiate between normal and attack data. Learning from more than one integrated feature set allows also this layer to capture a wider spectrum of network traffic patterns. The integrated model, having combined the strengths of all three approaches, has proven effective in DDoS attacks anomalies detection where timing, spatial, or behavioral patterns may differ.

The hybrid model also tends to generalize better for distinct attack scenarios, reducing the false positive rates anomaly detection approaches usually target, ensuring better precision for the attack detection.

5. Performance Evaluation

This part of the evaluation focuses on the DDoS attack predictive hybrid models’ evaluations. How the models were able to characterize DDoS attacks from benign records were captured in the results of the models in terms of accuracy, precision, recall, F1 score, and loss.

5.1. Model Training

For the model to accurately differentiate between attack and regular traffic patterns, hybrid model training requires adhering to some important protocols. Adam optimizer, one of the very few optimizers that perform effectively in the model’s deep learning applications while the model is being trained, is used for weight updates. Adam is efficient in complicated, nonlinear optimizations such as training a neural network since it modifies the learning rate based on the training schedule. The one-hot encoding of the labels leads to the choice of cross-entropy for the loss function. This is a multi-class classification problem. This is quite a popular loss function in multi-class classification problems, and it measures the divergence between the actual and predicted class distributions.

The model is trained to recognize the patterns in the data, and to ensure that the model captures the variations between “attack” and “normal traffic” classes, a number of class-imbalance configurations is used. To tackle overfitting, the technique of early stopping is employed, where training is halted for a model that is found to be learning the training data very well but fails to perform on new data.

The used hyper parameters of the proposed CNN–LSTM model are presented in

Table 1. The used hyperparameters.

Layers	Parameter
Input	(batch, T, F) where T = timesteps in window (e.g., 50), F = selected features (20).
Conv1D	(filters = 64, kernel_size = 3, activiation = ‘ReLU’)
MaxPool1D	(pool_size = 2)
Dropout	(0.2)
LSTM	(64, relu)
Dropout	(0.5)
Dense	(num_classes, activation = ‘softmax’ or sigmoid)

below. It is necessary to mentioned that there are selected using a systematic optimization procedure to ensure robust performance and prevent overfitting. We initially explored a range of candidate values for key hyperparameters including Number of CNN filters and kernel sizes, Number of LSTM units and sequence length, Dropout rates, Batch size. Then, each hyper parameter configuration was evaluated on the validation set. The combination that maximized validation accuracy while minimizing validation loss was selected. After that, dropout layers and batch normalization parameters were tuned to stabilize training and reduce overfitting, based on monitoring training and validation loss fluctuations. Finally, an adaptive optimizer (Adam) with learning rate scheduling was used to prevent divergence and accelerate convergence.

5.2. Model Evaluation

During the evaluation, the model is tested on a held-out dataset is the final from the three-step model evaluation process. This measure indicates how good the model is at classifying the data point as attack versus adversarial traffic, and whether the model can extrapolate to new instances for the data distribution. Several separate metrics are aggregated to develop a composite score, including accuracy, precision, recall, and F1 score.

This evaluation is used to understand how well the model can classify data points as attack versus benign traffic, and how well the model can transfer to novel data. The evaluation provides a comprehensive assessment of the model. After going through the model training process, each model is evaluated for predictive performance on an independent dataset.

This measure indicates how well the model can classify the data points as attack or benign traffic. The model evaluation process has three steps, of which the final step involves testing the model on a separate dataset held out during the training process.

Accuracy: Accuracy demonstrates the categorization model’s overall efficacy. It divides the total number of occurrences (including false positives and false negatives) by the number of correctly categorized true-positive (TP) and true-negative (TN) cases. The accuracy is calculated using Equation (1).

$$\mathrm{A}\mathrm{c}\mathrm{c}\mathrm{u}\mathrm{r}\mathrm{a}\mathrm{c}\mathrm{y}={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}$$

(1)

Precision: Precision quantifies the percentage of real true-positive cases (TP) among the cases that the model classifies as positive. It assists in determining how well the model steers clear of false positives. Equation (2) is used to calculate precision as follows:

$$\mathrm{P}\mathrm{r}\mathrm{e}\mathrm{c}\mathrm{i}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}={\displaystyle \frac{TP}{TP+FP}}$$

(2)

Recall: Recall is the model’s capacity to recognize every pertinent true-positive case (TP). It shows how successfully the model steers clear of false negatives. Recall is computed using Equation (3).

$$\mathrm{R}\mathrm{e}\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{l}={\displaystyle \frac{TP}{TP+FN}}$$

(3)

F1-Score: The F1-score represents the harmonic mean of precision and recall, offering a single metric that balances both measures. It is particularly useful when a comprehensive assessment of both precision and completeness is required. The F1-score can be calculated using Equation (4) as follows:

$$\mathrm{F}{1}_{\mathrm{S}\mathrm{c}\mathrm{o}\mathrm{r}\mathrm{e}}=2\times {\displaystyle \frac{Precision\times Recall}{Precision+Recall}}$$

(4)

5.3. Results

The three deep learning models that we have implemented—the CNN, the LSTM, and the CNN-LSTM—are part of the healthcare transformation that is enabled by the Internet of Things. In order to train and test these models, the CICD-DoS2019 dataset was utilized.

An extensive battery of tests has been executed to ascertain the appropriate hyper parameters for every model, including those pertaining to the network structural variables (e.g., neuron count, layer count, activation function, etc.), batch size, iteration count, etc. These factors greatly affect the performance of models when they are learning, but they cannot be adjusted during this period. Once a good model with the lowest error rate and the highest accuracy had been found, we tested it on the subset of tests, and the results are shown in Figure 5 and Figure 6. In the first experiment, we assess the two models, CNN and LSTM, separately. This suggests that these models will have broad applicability outside of the learning set. Next, we used the test set to evaluate the proposed hybrid model.

• ▪ Convolutional Neural Network (CNN)

The CNN model’s training and validation results across 8 epochs demonstrate a continuous decrease in loss and a notable improvement in classification accuracy. The model obtained a training accuracy of 54.74% with a loss of 0.0690 during the first epoch. Whereas, the validation had a loss of 0.0692 and was 52.80% accurate. The fluctuations in the training and validation loss were indeed expected given the hybrid nature of the CNN–LSTM model and the complexity of the CIC-DDoS2019 dataset.

Loss fluctuations are small and remain within a stable range. Although minor oscillations appear in the curves, both the training and validation losses show a consistent downward trend without divergence. This indicates that the model is steadily optimizing rather than memorizing noise. Several factors contribute to these variations: highly dynamic dataset characteristics, temporal dependencies in LSTM layers, stochastic gradient descent behavior, hybrid model complexity and learning rate selection. These preliminary findings indicate that the model performed reasonably well from the start, likely due to careful data preprocessing and efficient initial weight initialization.

• ▪ LSTM Model

The training and validation loss over 8 epochs for the LSTM model is illustrated in Figure 6. The training loss (blue line) by the end of the period was decreased to 0.6920, and the validation loss (red line) had attained a minimum of 0.6905, demonstrating the model’s capacity to accurately and efficiently rebuild the input data. As for performance accuracy, both curves converge toward low-high values, suggesting that the model achieves a strong performance on both the training and validation datasets by the final epoch.

• ▪ Hybrid Model

The proposed CNN-LSTM hybrid model was subjected to a thorough training protocol consisting of 8 epochs for the feature extraction phase and an additional 8 epochs for the classification phase. Incorporating confusion matrix and AUC metrics strengthens the evaluation by providing a more nuanced view of model performance beyond conventional metrics. Figure 7 illustrates the resulting confusion matrix.

As shown, it reveals that the proposed model achieves highly reliable discrimination between benign and malicious traffic, with errors concentrated at the extreme margins of the decision boundary. These results collectively suggest that the model handles class imbalance effectively, avoids overfitting, and provides a more reliable detection performance than traditional ML baselines typically reported on CICDDoS2019. However, the small number of misclassifications particularly the false negatives indicates potential benefits from additional fine-tuning around boundary cases, such as incorporating attention layers or threshold optimization to further enhance sensitivity to subtle malicious flows.

The proposed hybrid model exhibits outstanding predictive performance on the CICDDoS2019 dataset. As shown in the classification report in Figure 8, benign traffic (class 0) is identified with a precision of 0.97 and a recall of 0.99, whereas malicious traffic (class 1) is detected with perfect precision and recall (1.00). The macro-average F1-score of 0.99, along with an overall accuracy of 1.00, highlights the model’s strong generalization capabilities despite class imbalance. These results are further supported by the confusion matrix, which indicates that only a small number of benign samples were misclassified. Overall, the model achieves high detection accuracy with a minimal false-positive rate, demonstrating its suitability for real-time DDoS attack detection in IoT networks.

Thus far into the training phase, a significant drop in loss and an equal drop in loss on the training set was observed, indicating that the model was functioning well and able to discover patterns to a sufficient level of detail. For instance, in epoch one, the model produced relatively high validation loss (0.1022) and after one epoch, the model reached a low validation loss level (0.0058) which revealed that the model was able to generalize well to the unseen data. However, subsequent epochs were interspaced with periods of loss stagnation.

The overall pattern was that sufficient learning was taking place so that the accuracy level was increased and gain on the accuracy level was consistent. Figure 9 presents the training loss and validation loss of the hybrid model after 8 epochs. The model is learning effectively and is able to generalize due to consistent decline in loss on the training and validation dataset. Initially, the training loss (blue line) showed a rapid reduction which illustrated that the training data were collected quickly for high-risk patterns. The validation loss (orange line) showed a reduction too, in the later epochs, but was lower than the training loss indicating that the model was able to perform well on unseen data.

Hybrid CNN–LSTM architectures naturally produce mild oscillations. The convolutional layers learn spatial/temporal features in bursts, while the LSTM units adjust sequential patterns more gradually. This asynchronous learning often results in non-monotonic, wave-shaped loss curves even when the model is generalizing well. This behavior has also been reported in prior work using CNN–LSTM hybrids for intrusion detection.

This shows that the model is broadening well without going too far. The model successfully achieves robust performance on both the training and validation datasets, as seen by the losses stabilizing around epoch 8 and converging to low values.

Classification was the last step, and accuracy increased steadily over 8 epochs. The model achieved a test accuracy of 98% after 8 epochs, up from an initial accuracy of 93% in Epoch 1. The validation accuracy grew steadily during this time, reaching a peak of 99% by the final epoch. This consistent increase demonstrates the model’s capacity to learn efficiently across training and validation datasets.

The similarity between validation and test metrics under the 80:20 split indicated consistent generalization and confirmed that the split provided sufficient training data without sacrificing evaluation reliability. Therefore, the 80:20 ratio was validated both empirically and through internal validation, demonstrating that it offered the best balance between training volume and robust performance assessment. The validation accuracy grew steadily during this time, reaching a peak of 99% by the final epoch. This consistent increase demonstrates the model’s capacity to learn efficiently across training and validation datasets.

While achieving 98% accuracy by the 8th epoch may appear rapid, it is consistent with the combined effect of: a hybrid CNN–LSTM architecture, a high-quality and well-preprocessed dataset, and optimized training procedures. Nevertheless, to ensure that this early convergence does not reflect overfitting, we monitored validation loss, applied dropout regularization, and tested the model on a held-out validation set. The stable validation accuracy across subsequent epochs confirms that the model has learned meaningful patterns rather than memorizing the training data.

Table 2. Comparison of different models’ accuracy.

Model	Accuracy (%)
CNN, DNN, LSTM [21]	90.64, 89.88, 91.27
CNN-LSTM, DNN [27]	87.0, 88.0, 93.0
DNN, CNN, RNN [28]	84.73, 94.30, 95.89
CNN, RNN, LSTM [22]	92.21, 92.73, 92.75
CNN, LSTM [23]	96.78%
Proposed Model	99%

displays a comparison of the models’ accuracy on the CICD-DoS2019 dataset. The outcomes demonstrate how the suggested architectures outperformed the compared approaches. Based on the comprehensive comparisons of 5 models, the accuracies of the current models, CNN, DNN, and LSTM [21], were 90.64%, 89.88%, and 91.27%, respectively. Based on training and testing time, the accuracies of the CNN-LSTM, DNN, and RNN models [27] were 87, 88, and 93%, respectively. However, the lowest results of accuracy were obtained with the DNN, CNN, and RNN models assessed in [28] and were 84.73%, 94.30%, and 95.89%, respectively. Furthermore, the accuracies of the CNN, RNN, and LSTM models were 92.21%, 92.73%, and 92.75%, respectively, in [22]. The accuracy of the suggested hybrid model in [23] was 96.78%. The outcomes demonstrate how well the model works to get more accuracy when compared to other models. Our work offers more details regarding the use of DDoS attack detection in IoT networks than other deep learning-based security solutions.

Unlike prior works that address generic IoT or network traffic, our model is specifically designed and evaluated for healthcare IoT environments, capturing device-specific traffic patterns and attack vectors relevant to medical networks. In addition, our approach incorporates a carefully selected set of traffic features from the CIC-DDoS2019 dataset and was tuned specifically for DDoS detection in IoT traffic. The proposed model achieves higher accuracy and faster convergence while maintaining robust performance across multiple DDoS attack types, demonstrating an improvement over prior CNN–LSTM approaches.

5.4. Discussion

The results highlight the effectiveness of the proposed model in detecting DDoS attacks within IoT networks. This discussion not only provides an overall assessment of the hybrid approach but also examines the strengths, limitations, and potential areas for improvement for each component model. To facilitate this analysis, the classifier is trained using all available features, after which the most relevant attributes are selected to identify the different types of DDoS attacks.

Throughout the training and validation stages, the CNN model exhibits gains. The CNN exhibits resilience in obtaining spatial characteristics from network traffic data, with improved test accuracy and minimal validation loss. The capacity for generalization demonstrates how well convolutional layers’ capture spatial dependencies without overfitting. By leveraging its sequential modeling capabilities, the LSTM enhances the detection of anomalies through the identification of temporal patterns in network traffic. LSTM performance could be further stabilized by addressing the anomaly detection through data augmentation or strong preprocessing methods. The hybrid model, which combines CNN-LSTM, showed promise in combining feature extraction, temporal dependency modeling, and dimensionality reduction.

The hybrid strategy was able to extract connections in IoT network traffic with strong learning potential. Nevertheless, the hybrid model had difficulties with uncommon attack types despite its generally balanced performance, indicating the need for additional improvement, possibly using ensemble techniques or more layers devoted to detecting minority classes. Furthermore, training and testing time is an important criterion for classifier benchmarking that was not considered in most previous studies. To evaluate how well different models performed in relation to the time spent testing and training, we used four metrics: accuracy, precision, recall, and F1 score.

6. Conclusions

A novel technological approach facilitates the protection of intelligent IoT devices utilized in various healthcare applications. However, this also increases the risks of potential DDoS cyberattacks, which pose extremely critical threats to the infrastructures we protect. While deep learning (DL)-based intrusion detection techniques have demonstrated commendable accuracy in learning to classify such threats, the efficiency of the techniques remains an issue for cyber security practitioners, primarily due to opacity in the algorithms employed. To alleviate such concerns, this research proposes a hybrid CNN-LSTM architecture for the detection of DDoS attacks on WSN-IoT-based healthcare systems.

The growing impacts of network security threats have been countered effectively by DDoS attacks. The hybrid model was also evaluated against the CICDDoS2019 dataset and demonstrated commendable efficiency with an accuracy of 99% and a loss of 0.05%. The capabilities of the individual CNN multitask and LSTM on IoT-enabled real world systems were validated and demonstrated the hybrid model to possess considerable additional potential for further applications due to the concurrent utilization of spatial and temporal DDoS attack detection. The DDoS attack prevention strategies clearly demonstrated potential to enhance the security of IoT networks.

Evaluations of the current systems will be performed primarily using the same logic that has already been described, e specially in terms of learning how to deal with the less common DDoS assaults. The power of the systems and the computing architecture that sustain the systems will also be directed to the issues of computing complexity in order to process the information quickly so that threats can be identified and the delays in the threat identification cycle eliminated. In addition to that already mentioned, evaluating the effectiveness of the system will provide the opportunity to model and analyze other parameters that will certainly influence the effectiveness of the system. For example, we could increase the volume of the managed flows in the network and increase the values of the parameters from the same network in real time.