Next Article in Journal
Comparative Analysis of Deep Learning Models for Intrusion Detection in IoT Networks
Previous Article in Journal
One-Class Anomaly Detection for Industrial Applications: A Comparative Survey and Experimental Study
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Computers
Volume 14
Issue 7
10.3390/computers14070282
computers-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Enhanced Detection of Intrusion Detection System in Cloud Networks Using Time-Aware and Deep Learning Techniques

by
Nima Terawi
1,
Huthaifa I. Ashqar
1,2,*,
Omar Darwish
3,
Anas Alsobeh
4,
Plamen Zahariev
5 and
Yahya Tashtoush
6
1
Department of AI and Data Science, Arab American University, Jenin P.O. Box 240, Palestine
2
AI Program, Columbia University, New York, NY 10027, USA
3
Information Security and Applied Computing, Eastern Michigan University, Ypsilanti, MI 48197, USA
4
Information Technology, Southern Illinois University, Carbondale, IL 62901, USA
5
Department of Telecommunications, University of Ruse “Angel Kanchev” (UR), 7017 Ruse, Bulgaria
6
Computer and Information Technology, Jordan University of Science and Technology, P.O. Box 3030, Irbid 22110, Jordan
*
Author to whom correspondence should be addressed.
Computers 2025, 14(7), 282; https://doi.org/10.3390/computers14070282 (registering DOI)
Submission received: 16 June 2025 / Revised: 15 July 2025 / Accepted: 15 July 2025 / Published: 17 July 2025
Browse Figures
Versions Notes

Abstract

This study introduces an enhanced Intrusion Detection System (IDS) framework for Denial-of-Service (DoS) attacks, utilizing network traffic inter-arrival time (IAT) analysis. By examining the timing between packets and other statistical features, we detected patterns of malicious activity, allowing early and effective DoS threat mitigation. We generate real DoS traffic, including normal, Internet Control Message Protocol (ICMP), Smurf attack, and Transmission Control Protocol (TCP) classes, and develop nine predictive algorithms, combining traditional machine learning and advanced deep learning techniques with optimization methods, including the synthetic minority sampling technique (SMOTE) and grid search (GS). Our findings reveal that while traditional machine learning achieved moderate accuracy, it struggled with imbalanced datasets. In contrast, Deep Neural Network (DNN) models showed significant improvements with optimization, with DNN combined with GS (DNN-GS) reaching 89% accuracy. However, we also used Recurrent Neural Networks (RNNs) combined with SMOTE and GS (RNN-SMOTE-GS), which emerged as the best-performing with a precision of 97%, demonstrating the effectiveness of combining SMOTE and GS and highlighting the critical role of advanced optimization techniques in enhancing the detection capabilities of IDS models for the accurate classification of various types of network traffic and attacks.

1. Introduction

Recently, several organizations have tended to store their data in a variety of ways; the only requirement for these organizations is to protect their private and official data from intruders and external threats. It is possible that some authorized users may leak the organization’s data for any reason. However, in real time, it is difficult to recognize the attacker because duplicate IP and attack packets can be created. Previously used techniques such as firewalls and intrusion Prevention Detection systems (IPDSs) were unable to detect the attacker in many cases. A computer network is a collection of hardware and software; both components have risks, vulnerabilities, and security issues [1]. An attack on the software exposes the data, and those who understand programming and systems can easily determine the various activities performed on the systems using log files. The problem arises when people do not have any underlying knowledge of programming and their system is attacked by intruders, where they are unable to identify the problem. Thus, the most difficult task is determining an insider attack. Network security is an area where every user wants the systems to be safe from all malicious attacks (internal or external attacks). An IDS can detect external intruder attacks and can identify internal intruders. An IDS is a system that monitors network traffic for suspicious activity and issues alerts when it detects them [2]. DoS attacks have also emerged as one of the most serious risks to computer networks. This type of attack drove big websites like Amazon, CNN, and Yahoo to close at the end of the twentieth century [3]. The attacker applies the DoS to flood the target network with a massive number of packets. Therefore, it uses the victim network, with its properties like bandwidth computing power; therefore clients do not receive their service from the victim and the performance of network becomes much worse [4].
Flooding and vulnerability are the two types of DoS attacks. The zombie army is set by an attacker in flooding attacks to transfer junk or attack the traffic level, which the target network cannot control. The flooding attack is divided into direct and indirect DoS attacks based on the attack mechanism. Flooding attacks are categorized into network level, transport level, and application level based on protocol level. Attacks such as Transmission Control Protocol (TCP) and ICMP flooding are part of the division of Net-Dos flooding attacks, whereas HTTP flooding is within the division of App-Dos flooding attacks [4].
Software-defined networking (SDN) provides a powerful transition platform from traditional networks to a flexible, programmable, and open paradigm. The continuous growth of the Internet, the emergence of cloud computing, and the widespread adoption of social media necessitate a reliable, adaptable, and scalable network infrastructure [5]. The increasing complexity of both public and private network traffic poses challenges during implementation, highlighting the need for programmability and a centrally managed network architecture; as its name implies, SDN is a computer network that is implemented and managed centrally through software programming. By interconnecting devices, SDN facilitates global communication, enabling seamless interaction across the globe. However, this extensive interconnectivity also presents challenges that can potentially disrupt the entire network. SDN’s decoupled architecture and programmability capabilities position it as the front-runner in the networking world, as it allows for centralized management from a single point of control [6].
In recent times, the escalating frequency of Denial-of-Service (DoS) attacks, coupled with the widespread adoption of encrypted communication channels within networks, has underscored the urgent requirement for robust and efficient detection mechanisms [7]. Addressing this critical challenge involves exploring strategies that leverage the analysis of network traffic’s inter-arrival time and statistical attributes to effectively identify attacks in imbalanced datasets.
IAT refers to the time difference between the arrivals of consecutive packets in a network stream. This temporal feature captures subtle patterns in traffic behavior that are often invisible to traditional content-based analysis. During a DoS attack, especially high-volume ones like ICMP or Smurf floods, packets are transmitted at unnaturally consistent or rapid intervals, resulting in statistically distinguishable IAT distributions compared to normal traffic. By analyzing these patterns, the IDS can detect anomalies indicative of an attack. IAT serves as a lightweight yet highly informative feature, enabling the system to distinguish between benign and malicious traffic more effectively, particularly in real-time environments where payload inspection may not be feasible. In our study, IAT was used as a core input feature for all models, and its integration significantly enhanced the performance of time-aware models like RNNs.
This study introduces a novel approach for IDSs by leveraging inter-arrival times and statistical features of network traffic to detect DDoS attacks, particularly in the context of imbalanced datasets. Unlike existing methods that primarily focus on packet content, this approach emphasizes temporal patterns, such as irregular packet intervals and abnormal traffic volumes, which are often indicative of malicious activity. By incorporating inter-arrival time analysis, this study enhances the ability to detect subtle and evolving attack patterns, improving early detection and mitigation of DDoS threats. This contribution is significant as it addresses limitations in traditional IDS methods and provides a robust framework that can potentially be adapted for real-world systems with diverse and dynamic traffic profiles.
The remainder of this paper is organized as follows: Section 2 reviews related work on IDS approaches for DDoS attacks. Section 3 details the proposed methodology, including dataset preparation and feature analysis. Section 4 presents the experimental setup and results, highlighting the performance of different models. Section 5 discusses the findings and their implications and limitations and concludes this study.

2. Literature Review

Over the past two decades, the field of Distributed Denial-of-Service (DDoS) attack detection has witnessed the introduction of various techniques, primarily categorized into anomaly-based detection and signature-based detection [8,9]. In [10], the IDS-INT method was proposed as a means to detect different types of attacks within imbalanced network traffic. This method employs a comprehensive approach involving the filtering and categorization of attacks based on criteria such as precision, recall, F1-score, and accuracy. Performance evaluation is conducted with consideration given to attack types such as web attacks, port scan attacks, infiltration attacks, and DDoS attacks. Feature extraction and analysis utilize flow selection, transformer transfer learning, SMOTE, and CNNs, with comparisons drawn among different subsets.
The authors in [11] proposed a method to address the containment control problem for linear multiagent systems (MASs) under DoS attacks. The method involved designing three different observers to estimate the relative state information of the agents. These observers were used to compensate for the effects of the DoS attacks on the communication among agents. By using these observers, the paper aimed to achieve containment control even in the presence of DoS attacks.
In a separate study [3], the authors presented an approach for detecting DDoS flooding attacks. This approach leveraged time series similarity measurement to analyze network time series data, allowing the identification of dissimilarity intervals and facilitating rapid deviation discovery. Dynamic time warping is employed as a detection technique, treating network traffic features as signals. The method demonstrated effectiveness through application to the CICDDoS2019 dataset, showcasing high detection accuracy and low computational complexity.
In another study [12], researchers collected data from two datasets, one containing 4998 records classified into four groups (i.e., interface, IP, TCP, and ICMP). Six types of DoS attacks, including HTTP flood, User Datagram Protocol (UDP) flood, ICMP echo, TCP SYN, slow post, and slow Loris, were realized. Random forest and neural network classifiers were employed, demonstrating robust classification accuracy. The methods incorporated signature analysis, entropy analysis, and machine learning using multifractal and recurrence analysis. A hybrid feature selection model is proposed by the researchers in [6], incorporating chi-square, ANOVA, and principal component analysis (PCA) methods on the benchmark NSL-KDD dataset. The focus of this approach is on enhancing accuracy, F1-score, and precision and minimizing computational power.
Taking a time-based approach in [13], the study introduced an online algorithm based on a sliding window with the novel application of morphological fractal dimension (MFD) to address the high computational cost. Significant improvements in DDoS attack detection are reported compared to entropy-based approaches. Table 1 summarizes the results of the previous work.
Addressing this critical challenge involves exploring strategies that leverage the analysis of network traffic’s inter-arrival time and statistical attributes to effectively identify and thwart DDoS attacks in imbalanced datasets. By examining the timing between packets (i.e., IAT) and other statistical features of network traffic, it becomes possible to discern patterns indicative of malicious activity. These strategies can detect anomalies that deviate from typical traffic behaviors, such as unusually high traffic volumes, irregular intervals between packets, or abnormal packet sizes, which are common signs of DoS attacks. Implementing such analysis allows for the early detection and rapid mitigation of DDoS threats, thereby enhancing the resilience and security of network systems. Utilizing inter-arrival time as an input for IDSs is crucial due to its effectiveness in capturing the nuances of network traffic patterns that are often indicative of malicious activities such as DoS attacks. Inter-arrival time provides a granular view of traffic flow, enabling the detection of anomalies that might be missed by analyzing packet content alone. By incorporating this temporal dimension, IDSs can more accurately distinguish between normal and abnormal traffic patterns, as malicious traffic often exhibits irregular inter-arrival times due to the rapid nature of attack packets. This approach enhances the precision and robustness of intrusion detection models, contributing significantly to the field by improving the early detection and prevention of sophisticated and evolving threats.

3. Materials and Methods

The main goal of this research is to develop a detection system to identify DoS attacks based on inter-arrival time in the cloud environment. We used the statistical features of normal traffic as the baseline to detect anomalies and identify the DoS attack types. In the statistical approach, the means, median, standard deviation, entropy, average, max, and min are calculated to detect anomalous traffic. We used a combination of traditional machine learning and deep learning algorithms to classify the traffic into four different classes, as shown in Figure 1.
Analyzing inter-arrival times is ideal for cloud environments due to its scalability, efficiency, and ability to adapt to dynamic, high-volume traffic patterns. It effectively detects DoS attacks by capturing timing anomalies across diverse workloads and distinguishing malicious traffic from normal cloud variations, providing a lightweight and robust solution for protecting cloud infrastructures.
Within the field of IDSs, four benchmark datasets are commonly used, including the KDD cup dataset, the NSL-kdd dataset, the Kyoto dataset, and the UNSW-NB15 dataset. These datasets are favored because of their well-organized structure and efficacy in conducting experiments, particularly in the domain of machine learning algorithms. Additionally, their availability for free further enhances their appeal to researchers and practitioners alike. In this work, we created our own dataset by monitoring existing DoS traffic in the visual environment [19]. Creating a custom dataset for IDSs, particularly focused on monitoring existing DoS traffic in a visual environment, offers several advantages over relying solely on established benchmark datasets like KDD Cup, NSL-KDD, Kyoto, and UNSW-NB15. Although these benchmark datasets are invaluable for their well-organized structure and proven efficacy in machine learning experiments, they may not capture the specific characteristics and nuances of the unique network environment being studied. By generating a custom dataset, we can tailor the data to reflect the exact conditions, attack patterns, and traffic behaviors pertinent to their specific visual environment, leading to more relevant and precise IDS models. This approach ensures that the models are not only tested on generic data but are also validated against real-world conditions that closely resemble the operational environment where the IDS will be deployed, ultimately enhancing the system’s effectiveness and reliability in detecting and mitigating DoS attacks.

3.1. Mininet Implementation

This work hosts VMware’s Mininet Virtual Machine (VM). Mininet is a Python-based open-source network emulator that generates a virtual networking architecture that connects virtual hosts through various devices such as switches, links, and controllers. It comes with Linux network software and is capable of supporting OpenFlow for custom routing and SDN. Because Mininet must be installed on a Linux server, we picked VM Workstation Pro 15 for our simulations. The experiments and simulations were run on a PC running 64-bit Windows 10 on a Core-i7 with 16 GB of RAM.

3.2. Dataset Description

Creating the dataset stands as a crucial stage in implementing a machine learning approach. Data are typically sourced from diverse sources and may exhibit noise, redundancy, incompleteness, or even contradictions. This fundamental step is crucial to shaping the quality and efficacy of the ensuing machine learning process.
The dataset was generated through controlled simulations using the Mininet network emulator; the Mininet topology contains four hosts, two switches, and one built-in POX-type controller, and all of these devices are connected in the Mininet environment. The DoS attacks were created by the hping3 packet crafting tool, with each type of DoS created by running a command with specific conditions to ensure data integrity and consistency.
At first, normal traffic was created, with around 6600 individual connections. These connections were split into streams with 8 packets in each one, and they had some numbers that tell us about them, like the min and max values, mean, median, standard deviation, and entropy for each stream. In a TCP flood attack, we send a large number of SYN (synchronized) packets to the target with the intention of overwhelming its resources and causing disruption. We created 779,681 connections of SYN requests and ACK replays. Due to the nature of the three-way handshake of the normal TCP connection, this flood will take a bit more time than others.
The ICMP flood was captured using Wireshark, a network protocol analyzer. In this particular inundation attack, an extensive multitude of ICMP packets were dispatched to the designated target, with the strategic objective of generating an overwhelming effect. Approximately 2496 requests were generated. This attack manifests as a form of volumetric assault, characterized by its focus on inundating the target’s resources with a substantial influx of network packets.
The last flood attack is Smurf flood, which is a type of network-layer DDoS attack. The attack involves sending a large volume of ICMP echo request (ping) traffic to a network’s broadcast address. The attackers typically use IP spoofing to send these requests, making them appear to originate from the victim’s address. Wireshark generated a pcap traffic file for each type with a few features like IP source, IP destination, time when this packet was captured, protocol, length, and notes about the packet; the most important feature to us was time, and based on this feature we calculated the timestamp and inter-arrival time for each file. As a result, our dataset contained three types of DoS attacks in addition to normal traffic, with each packet labeled.
Each DDoS attack is characterized by the transmission of a large volume of specific packets, often with varying sizes, from a single host to a target. For instance, an ICMP flood involves sending ICMP packets from a host (H1) to a target (H2). In the final dataset, only statistical features derived from network traffic are utilized, with unnecessary features, such as source and destination IP addresses, being excluded. This allows the focus to remain on patterns indicative of DDoS attacks, rather than individual network addresses.
The simulated network topology in this study consists of four hosts (H1, H2, H3, and H4) and a server. Each host periodically sends ICMP echo request (ping) packets to other hosts, with the target hosts responding with ICMP echo reply packets. These ping packets, characterized by their small size, represent normal traffic in the network. The traffic is distributed across multiple hosts and directed to various destinations, including the other hosts and the server, thereby avoiding a concentrated attack pattern. In this setup, no specific target is the focus of the traffic. To simulate such behavior, the hping3 tool is employed, which can send various types of packets, while Wireshark is used for traffic monitoring.
Mininet provides a customizable environment for simulating various network topologies, including those vulnerable to DDoS attacks. By using Mininet, this study can capture subtle differences in network behavior under attack conditions, which contributes to the generation of more accurate datasets. This flexibility allows for the simulation of multiple types of DDoS attacks, such as SYN floods and UDP floods, providing valuable insights into their impact on network traffic patterns.
Although the original dataset was generated with only four hosts and a server, this study focuses on analyzing the behavior of four types of DDoS attacks. The hping3 tool, which can send packets from multiple fake IP addresses to the target, is used to simulate these attacks, ensuring the generation of varied attack patterns and helping to better understand the network’s response under different attack conditions.

3.3. Statistical-Based Approach

The basic idea behind these methods is that similar attacks share common statistical features. By spotting these similarities, we can identify these attacks without needing to understand the context. These methods keep track of how different events relate to each other and use past data analysis to figure out how often certain things happen when the system is being trained. A DDoS attack affects the statistical features (for instance mean and variance) of a packet flow with temporal fluctuations [20,21,22,23].
Our method for spotting DDoS attacks in cloud computing is mainly based on using a better feature than what was used before. Instead of just looking at individual packets, we focus on something called “packet IAT,” which stands for the time between when one packet arrives and when the next one does. By studying how these time intervals work, we can figure out how likely it is that a DDoS attack is happening in a stream of network traffic.
Consider a packet, which we will call “P.” We can describe this packet by looking at the time between when it arrives and when the next one arrives in a sequence of traffic. Let us call this time “Pt”, which equals At + 1 (the time the next packet arrives) minus At (the time the current packet arrives). We perform this for all the packets in the sequence. Now, what makes a DDoS attack stand out is that it often follows a pattern where the time between packet arrivals seems somewhat predictable, like following an exponential distribution. We can use this pattern to spot unusual behavior or anomalies in the traffic. The features in our dataset are presented in Table 2.

3.4. Predictive Algorithms

In this study, the selection of nine predictive algorithms aimed to explore a comprehensive range of both traditional machine learning and advanced deep learning techniques, leveraging optimization methods to enhance performance. Logistic Regression (1. LR) was chosen as a baseline due to its simplicity and effectiveness in classification problems. Support Vector Machine was evaluated with two variations: one utilizing the Synthetic Minority Oversampling Technique (2. SVM-SMOTE) to address dataset imbalance and another with grid search (3. SVM-GS) to optimize hyperparameters, ensuring robust performance against imbalanced data and well-tuned models, respectively.
Recurrent Neural Networks (RNNs) were examined extensively due to their ability to handle sequential data, crucial for network traffic analysis. Variants included RNNs combined with SMOTE (4. RNN-SMOTE) and RNNs with SMOTE and GS (5. RNN-SMOTE-GS) to balance the dataset and fine-tune parameters, and another integrating Long Short-Term Memory (LSTM) layers, known for their effectiveness in capturing long-term dependencies within sequences, optimized using GS for better performance (6. RNN-LSTM-GS). The architecture of the RNN-LSTM-GS is shown in Figure 2.
Deep Neural Networks (DNNs) were also assessed to leverage their depth and ability to learn complex patterns. Three configurations were tested: a basic one (7. DNN), a DNN with SMOTE to counteract class imbalance (8. DNN-SMOTE), and a DNN with GS to achieve optimal hyperparameter settings (9. DNN-GS). By comparing these variations, this study aimed to identify the most effective approach for detecting DoS attacks, considering both the handling of data imbalance and the optimization of model parameters for improved accuracy and reliability.

4. Results

In this section, we first introduce the experiment environment, and then we discuss the experiments and results to show which machine learning technique produced a high detection score on the created intrusion dataset for multi-classes classification. Finally, we present an interpretability analysis by visualizing the result of metric evaluation.

4.1. Experiment Settings

To generate the intrusion dataset, we used the Mininet topology installed on Vmware; the DoS attacks were created by the Hbing3 tool and the traffic captured by the Wireshark tool, Windows 10 on 3GH with 6 G main memory. All models were built with TensorFlow and Pytorch and trained on Jupyter Notebook. We split the dataset into training and testing. We passed data to the preprocessing pipeline. In this stage, we calculated the timestamp and the IAT. From these two features, we calculated the other statistical features, including mean, median, standard deviation, max, min, and entropy. However, we faced an issue with imbalanced data when we were cleaning our dataset, as Figure 3 shows. This issue of an imbalanced dataset is important, as it conveys the challenges posed to the understanding of model performance and potential biases. To evaluate the proposed approach, four different evaluation metrics were used: precision (P), recall (R), F1-score (F1), and accuracy (A).

4.2. Traditional Machine Learning Results

We started the evaluation process with training LR on the dataset with no added techniques so that LR would be used as a baseline due to its simplicity and effectiveness in classification problems. The results are shown in Table 3. LR showed an overall accuracy of 80% and a 66% F1-score. LR was able to detect the Smurf class but with a relatively low accuracy. This means that the model makes a large number of incorrect predictions for the Smurf class compared to other classes. The 11% recall means that the model does not effectively identify a significant portion of the actual Smurf observations due to the imbalance in the dataset. The LR model might be relatively too simple to capture the complexity of the Smurf class, especially if the decision boundary is non-linear.
SMURF attacks are difficult to detect due to several factors. The attacker spoofs the source IP address, making the ICMP echo requests appear to come from the victim, not the attacker. Additionally, the attack generates high-volume traffic from many devices, each with different IP addresses, which can obscure the attack and blend with legitimate traffic. The broadcast nature of the attack causes multiple devices to respond to the victim, overwhelming it with traffic, further complicating detection without specialized monitoring.
We then tested the Support Vector Machine model combined with GS (SVM-GS). Figure 4 shows the multiple classification performance on the dataset. We also evaluated the model in terms of precision, recall, and F1-score, as presented in Table 3. Although the confusion matrix shows that SVM with grid search has a high recall for TCP flood, the results illustrated that this model can successfully detect ICMP and TCP but faces an issue with detecting Smurf. The SVM-GS model achieved about 83% overall accuracy. Based on the result, we observe one attack with the worst detection accuracy, which is the Smurf class, with an accuracy of around 0%. Although we used grid search to fix the imbalance issue and chose the best parameters in the grid search method, it might be possible that the features used by the model were not well-suited for distinguishing the Smurf attack. Most of the Smurf attacks were classified as ICMP and TCP traffic due to the similarity in their features.
The confusion matrix in Figure 4 provides a detailed breakdown of the SVM-GS performance by showing the counts of true positive (TP), true negative (TN), false positive (FP), and false negative (FN) predictions. Each row of the matrix represents the actual class, while each column represents the predicted class. In our case 61 are TP for ICMP, which means these are the observations that were correctly predicted as ICMP. About 206 and 103 were, respectively, normal and TCP observations that were correctly predicted as such. The model was successfully able to capture all instances of the normal class, with no FN. In the Smurf case, the recall is 0%, indicating that the model did not correctly identify any observations of the Smurf class.
In an attempt to fix the detection accuracy issue of the Smurf class due to imbalance, we used SVM-SMOTE. Figure 5 and Table 3 show the results of applying the model. The SMOTE method works on the minority class by copying the observations to reach the count of the majority class in order to fix the issue of the imbalanced dataset. However, the SVM-SMOTE model was not able to fix the issue and all the elements in the Smurf class were classified as either ICMP or TCP. This suggests that SMOTE may not create helpful synthetic examples for the model to generalize better. This could be due to issues like class imbalance, difficulties with SMOTE, or problems with the SVM model itself as a non-probabilistic (i.e., deterministic) model, which will usually output only the most likely class that the input data instance belongs to. It becomes crucial to consider these factors when interpreting the model’s performance.

4.3. Deep Learning Results

On the other hand, we tested and compared the proposed dataset on developed hybrid RNN deep learning algorithms, including RNN-SMOTE, RNN-SMOTE-GS, and RNN-LSTM-GS. Figure 6 and Figure 7 show the change in accuracy as the epoch changes in GS for RNN-SMOTE-GS and RNN-LSTM-GS, respectively. It can be seen that both curves tend to bend with each epoch and start to converge on the last epoch. The curves are quite close to each other and behave normally, indicating that there is no overfitting problem. Several measures were implemented to ensure no overfitting, including the use of dropout layers to improve generalization, k-fold cross-validation to ensure consistent performance across data subsets, and a separate holdout dataset to validate the model on unseen data.
Table 4 shows the results of the RNN combination models’ performance. In comparison to RNN-LSTM-GS, RNN-SMOTE is the next model that provides high detection evaluation results. RNN-SMOTE shows strong overall performance with an accuracy of 86%, with high precision, recall, and F1-scores across all classes. RNN-SMOTE-GS demonstrates the highest overall accuracy at 97%, with nearly perfect precision, recall, and F1-scores, indicating the effectiveness of combining SMOTE and grid search. However, RNN-LSTM-GS has a lower overall accuracy (81%) and struggles significantly with the Smurf class, failing to detect it entirely, though it performs well on the normal and TCP classes. Results illustrate the significant impact of optimization techniques like SMOTE and GS on model performance, highlighting the enhanced effectiveness of RNN-SMOTE-GS compared to other models.
The RNN-SMOTE model shows strong overall performance, indicating that addressing class imbalance through SMOTE can substantially enhance detection accuracy across various attack types. The superior performance of RNN-SMOTE-GS, with its near-perfect precision, recall, and F1-scores, underscores the critical importance of combining data balancing techniques with hyperparameter optimization to achieve the best possible model performance. This model’s high accuracy suggests it can reliably detect and classify network traffic, making it highly suitable for practical deployment. Conversely, the RNN-LSTM-GS model, despite its advanced architecture, struggles significantly with certain attack types like Smurf, demonstrating that even sophisticated models require careful tuning and may still underperform if they are not adequately optimized or if they do not handle specific data characteristics well. These findings highlight the need for tailored approaches in model selection and optimization to address the unique challenges posed by different types of network traffic and attacks.
For the third stack, we decided to develop DNN, DNN-SMOTE, and DNN-GS. Table 5 shows the results of the DNN models. The performance results for the DNN models, with and without optimization techniques like SMOTE and GS, reveal important insights for IDSs. The base DNN model shows moderate performance with an overall accuracy of 71%, performing well on the normal class but poorly on others, particularly Smurf and TCP. This suggests that while DNNs can be effective, they may struggle with imbalanced datasets and complex attack patterns. The DNN-SMOTE model significantly improves performance across all metrics, achieving an overall accuracy of 85%. This improvement indicates the importance of addressing data imbalance, which helps the model better recognize less frequent attack types. The DNN-GS model, optimized using grid search, achieves the highest overall accuracy (89%) and strong precision, recall, and F1-scores, demonstrating that hyperparameter tuning can substantially enhance model performance. These findings highlight that for optimal results in intrusion detection, combining advanced optimization techniques like SMOTE and GS with DNNs is crucial, as they help the model to better generalize and accurately classify different types of network traffic and attacks.

4.4. Transferability and Applicability

We tested our proposed method on the CICDDoS2019 dataset, which contains benign and the most up-to-date common DDoS attacks and resembles the true real-world data (PCAPs) [21,22]. We used a DNN as the state-of-the-art algorithm to test the transferability of our proposed method. We found that our proposed method achieved 95%, 96%, 97%, and 98% in accuracy, precision, recall, and F1-score, respectively. These results confirm the transferability and applicability of our proposed method compared to previous studies [3,10,17,18].
The proposed approach demonstrates strong potential for transferability and applicability to real-world systems by leveraging universal traffic features such as inter-arrival times and statistical patterns, which effectively capture anomalies associated with DDoS attacks. Its robustness is evidenced through tests on diverse attack classes (e.g., ICMP, Smurf, and TCP) and different datasets and benchmarks and the use of optimization techniques like SMOTE and grid search to handle imbalanced datasets and improve model performance.
The method can seamlessly integrate with existing security systems, serving as a lightweight, potentially real-time preprocessing layer, or as part of SDN architectures. While the custom dataset provided controlled insights, further validation on other traffic datasets did strengthen its applicability. Practical deployment would involve retraining models on operational data, ensuring compatibility with existing protocols, and periodic updates to maintain relevance against evolving threats.
It is also worth mentioning that although Smurf attacks are usually difficult to detect, our method using RNN-SMOTE-GS performed well, achieving 97% accuracy. Smurf is difficult to predict primarily due to the large number of different IP addresses involved. In a SMURF attack, the attacker sends a large number of ICMP echo request (ping) packets to a broadcast address, with the source IP address spoofed to be that of the target victim. This results in all devices on the network responding to the victim with ICMP echo replies. The key reasons why SMURF attacks are hard to detect include the following: (1) The attacker spoofs the source IP address, making it appear as though the ICMP requests are coming from the target victim, not the attacker. This makes it difficult to trace the origin of the attack. (2) The attack generates a high volume of traffic from many devices, all responding to the victim, often with different IP addresses. This widespread distribution of responses across multiple sources can obscure the attack’s nature and make it harder to distinguish from legitimate traffic. (3) The broadcast behavior means that many devices within a network or subnet respond to a single request, overwhelming the target. This creates a large volume of traffic that is hard to distinguish from legitimate traffic unless there are specific monitoring measures in place.

5. Discussion and Conclusions

This study aimed to present a novel approach for an enhanced IDS detection framework of DDoS attacks based on the inter-arrival time. Addressing the challenge of identifying and thwarting DoS attacks in imbalanced datasets involved leveraging the analysis of network traffic’s inter-arrival time and statistical attributes. By examining the timing between packets and other statistical features, patterns indicative of malicious activity can be detected. Implementing such analysis allows for early detection and rapid mitigation of DoS threats, enhancing the resilience and security of network systems.
We generated real DDoS network traffic, including four classes, normal, ICMP, Smurf, and TCP traffic, using the Mininet environment. We explored the development of nine predictive algorithms. We built a range of both traditional machine learning and advanced deep learning techniques, leveraging two optimization methods to enhance performance, including LR, SVM-SMOTE, SVM-GS, RNN-SMOTE, RNN-SMOTE-GS, RNN-LSTM-GS, DNN, DNN-SMOTE, and DNN-GS.
LR achieved a high overall accuracy of 80%, performing well on the normal and TCP classes but struggling with the Smurf class. Similarly, SVM-GS and SVM-SMOTE had a moderate overall accuracy of 70% and 65%, respectively, excelling in the normal class but completely missing the Smurf attacks. This highlights the limitations of these traditional models in handling imbalanced datasets and complex attack types like Smurf.
In contrast, the RNN-SMOTE model exhibited strong overall performance with an accuracy of 86%, maintaining high precision, recall, and F1-scores across all classes. The RNN-SMOTE-GS model further demonstrated the highest overall accuracy at 97%, with nearly perfect precision, recall, and F1-scores, underscoring the effectiveness of combining SMOTE with GS for hyperparameter optimization. However, the RNN-LSTM-GS had a lower overall accuracy of 81%, performing well on the normal and TCP classes but failing to detect the Smurf class entirely.
Finally, DNN models illustrate the substantial benefits of optimization. The base DNN model showed moderate performance with an overall accuracy of 71%, while the DNN-SMOTE model significantly improved performance across all metrics, achieving an overall accuracy of 85%. The DNN-GS model achieved the highest overall accuracy among DNN variants at 89%. This reinforces the critical role of hyperparameter tuning in maximizing model performance.
Overall, the RNN-SMOTE-GS model emerged as the best-performing model, with an overall accuracy of 97% and near-perfect performance metrics across all classes. This highlights the importance of employing advanced optimization techniques such as SMOTE and GS in enhancing the detection capabilities of machine learning models, ensuring they can effectively and accurately classify various types of network traffic and attacks.
Building on the promising results of this study, future research will focus on deploying the proposed IDS framework in real-time cloud environments to evaluate its practical performance under live traffic conditions. Further work will explore adaptive and online learning mechanisms to enable continuous model updates in response to evolving attack patterns. Additionally, explainable AI (XAI) techniques will be integrated to improve the interpretability of deep learning models, particularly RNN-based architectures, allowing security analysts to better understand and trust the system’s decisions. Finally, expanding the dataset to include more diverse and large-scale attack types, such as DNS amplification and HTTP floods, will enhance the generalizability and robustness of the detection system across complex network scenarios.

Author Contributions

Conceptualization, N.T., H.I.A., and O.D.; methodology, N.T., H.I.A., and O.D.; software, N.T., H.I.A., and O.D.; validation, N.T., H.I.A., and O.D.; formal analysis, N.T., H.I.A., and O.D.; investigation, N.T., H.I.A., O.D., A.A., P.Z., and Y.T.; resources, N.T., H.I.A., O.D., A.A., P.Z., and Y.T.; writing—original draft preparation, N.T.; writing—review and editing, N.T., H.I.A., O.D., A.A., P.Z., and Y.T.; visualization, N.T.; supervision, H.I.A. and O.D.; funding acquisition, P.Z. and Y.T. All authors have read and agreed to the published version of the manuscript.

Funding

This study is financed by the European Union-NextGenerationEU, through the National Recovery and Resilience Plan of the Republic of Bulgaria, project No. BG-RRP-2.013-0001.

Data Availability Statement

The data presented in this study are available on request from the corresponding author.

Acknowledgments

We would like to thank the European Union-NextGenerationEU, through the National Recovery and Resilience Plan of the Republic of Bulgaria, project No. BG-RRP-2.013-0001.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Tashtoush, Y.M.; Darweesh, D.A.; Husari, G.; Darwish, O.A.; Darwish, Y.; Issa, L.B.; Ashqar, H.I. Agile approaches for cybersecurity systems, iot and intelligent transportation. IEEE Access 2021, 10, 1360–1375. [Google Scholar] [CrossRef]
  2. Aleesa, A.; Younis, M.; Mohammed, A.A.; Sahar, N. Deep-intrusion detection system with enhanced unswnb15 dataset based on deep learning techniques. J. Eng. Sci. Technol. 2021, 16, 711–727. [Google Scholar]
  3. Hussain, F.A.-A.; Nashat, D. Time series similarity for detecting ddos flooding attack. Assiut Univ. J. Multidiscip. Sci. Res. 2022, 51, 229–241. [Google Scholar] [CrossRef]
  4. Catak, F.O.; Mustacoglu, A.F. Distributed denial of service attack detection using autoencoder and deep neural networks. J. Intell. Fuzzy Syst. 2019, 37, 3969–3979. [Google Scholar] [CrossRef]
  5. Abu-Helo, H.; Ashqar, H. Early ransomware detection system based on network behavior. In International Conference on Advanced Information Networking and Applications; Springer: Berlin/Heidelberg, Germany, 2024; pp. 447–458. [Google Scholar]
  6. Naveed, M.; Arif, F.; Usman, S.M.; Anwar, A.; Hadjouni, M.; Elmannai, H.; Hussain, S.; Ullah, S.S.; Umar, F. A deep learning-based framework for feature extraction and classification of intrusion detection in networks. Wirel. Commun. Mob. Comput. 2022, 2022, 2215852. [Google Scholar] [CrossRef]
  7. Hamarshe, A.; Ashqar, H.I.; Hamarsheh, M. Detection of ddos attacks in software defined networking using machine learning models. In International Conference on Advances in Computing Research; Springer: Berlin/Heidelberg, Germany, 2023; pp. 640–651. [Google Scholar]
  8. Weshahi, A.; Dwaik, F.; Khouli, M.; Ashqar, H.I.; Shatnawi, A.; ElKhodr, M. Iot-enhanced malicious url detection using machine learning. In International Conference on Advanced Information Networking and Applications; Springer: Berlin/Heidelberg, Germany, 2024; pp. 470–482. [Google Scholar]
  9. Aburbeian, A.M.; Ashqar, H.I. Credit card fraud detection using enhanced random forest classifier for imbalanced data. In International Conference on Advances in Computing Research; Springer: Berlin/Heidelberg, Germany, 2023; pp. 605–616. [Google Scholar]
  10. Ullah, F.; Ullah, S.; Srivastava, G.; Lin, J.C.-W. Idsint: Intrusion detection system using transformer-based transfer learning for imbalanced network traffic. Digit. Commun. Netw. 2023, 10, 190–204. [Google Scholar] [CrossRef]
  11. Liu, Y.; Tang, S.; Liu, R.; Zhang, L.; Ma, Z. Secure and robust digital image watermarking scheme using logistic and rsa encryption. Expert Syst. Appl. 2018, 97, 95–105. [Google Scholar] [CrossRef]
  12. Alghawli, A.S. Complex methods detect anomalies in real time based on time series analysis. Alex. Eng. J. 2022, 61, 549–561. [Google Scholar] [CrossRef]
  13. Baldini, G.; Amerini, I. Online distributed denial of service (ddos) intrusion detection based on adaptive sliding window and morphological fractal dimension. Comput. Netw. 2022, 210, 108923. [Google Scholar] [CrossRef]
  14. Gao, L.; Li, Y.; Zhang, L.; Lin, F.; Ma, M. Research on detection and defense mechanisms of dos attacks based on bp neural network and game theory. IEEE Access 2019, 7, 43018–43030. [Google Scholar] [CrossRef]
  15. Bouyeddou, B.; Kadri, B.; Harrou, F.; Sun, Y. Nonparametric kullback-leibler distance-based method for networks intrusion detection. In Proceedings of the 2020 International Conference on Data Analytics for Business and Industry: Way Towards a Sustainable Economy (ICDABI), Sakheer, Bahrain, 26–27 October 2020; pp. 1–5. [Google Scholar]
  16. Almorabea, O.M.; Khanzada, T.J.S.; Aslam, M.A.; Hendi, F.A.; Almorabea, A.M. Iot network-based intrusion detection framework: A solution to process ping floods originating from embedded devices. IEEE Access 2023, 11, 119118–119145. [Google Scholar] [CrossRef]
  17. Pei, J.; Chen, Y.; Ji, W. A ddos attack detection method based on machine learning. J. Phys. Conf. Ser. 2019, 1237, 032040. [Google Scholar] [CrossRef]
  18. Fernando, G.-P.; Brayan, A.-A.H.; Florina, A.M.; Liliana, C.-B.; Hector-Gabriel, A.-M.; Reinel, T.-S. Enhancing intrusion detection in iot communications through ml model generalization with a new dataset (idsai). IEEE Access 2023, 11, 70542–70559. [Google Scholar] [CrossRef]
  19. Panigrahi, R.; Borah, S. A detailed analysis of cicids2017 dataset for designing intrusion detection systems. Int. J. Eng. Technol. 2018, 7, 479–482. [Google Scholar]
  20. Nichelini, A.; Pozzoli, C.A.; Longari, S.; Carminati, M.; Zanero, S. Canova: A hybrid intrusion detection framework based on automatic signal classification for can. Comput. Secur. 2023, 128, 103166. [Google Scholar] [CrossRef]
  21. Sharafaldin, I.; Lashkari, A.H.; Hakak, S.; Ghorbani, A.A. Developing realistic distributed denial of service (ddos) attack dataset and taxonomy. In Proceedings of the 2019 International Carnahan Conference on Security Technology (ICCST), Chennai, India, 1–3 October 2019; pp. 1–8. [Google Scholar]
  22. Jilcha, L.A.; Kim, D.-H.; Kwak, J. Temporal Decay Loss for Adaptive Log Anomaly Detection in Cloud Environments. Sensors 2025, 25, 2649. [Google Scholar] [CrossRef] [PubMed]
  23. Wang, Y.; Wu, Y.; Xu, Y.; Zhang, K.; Xu, Y. Research on Network Intrusion Detection Based on Weighted Histogram Algorithm for In-Vehicle Ethernet. Sensors 2025, 25, 3541. [Google Scholar] [CrossRef]
Computers 14 00282 g001
Figure 1. Proposed framework flowchart.
Figure 1. Proposed framework flowchart.
Computers 14 00282 g001
Computers 14 00282 g002
Figure 2. The architecture of RNN-LSTM.
Figure 2. The architecture of RNN-LSTM.
Computers 14 00282 g002
Computers 14 00282 g003
Figure 3. Distribution of the dataset.
Figure 3. Distribution of the dataset.
Computers 14 00282 g003
Computers 14 00282 g004
Figure 4. Confusion matrix of SVM-GS.
Figure 4. Confusion matrix of SVM-GS.
Computers 14 00282 g004
Computers 14 00282 g005
Figure 5. Confusion matrix of SVM-SMOTE.
Figure 5. Confusion matrix of SVM-SMOTE.
Computers 14 00282 g005
Computers 14 00282 g006
Figure 6. Accuracy and epoch relationship for RNN-SMOTE-GS.
Figure 6. Accuracy and epoch relationship for RNN-SMOTE-GS.
Computers 14 00282 g006
Computers 14 00282 g007
Figure 7. Accuracy and epoch relationship for RNN-LSTM-GS.
Figure 7. Accuracy and epoch relationship for RNN-LSTM-GS.
Computers 14 00282 g007
Table 1. Summary of relevant previous studies.
Table 1. Summary of relevant previous studies.
StudyDoSDatasetAlgorithmAccuracy
[14]M-DosIIoTSupport Vector Machine (SVM)96
[15]ICMPDARPA99SVM93
[16]TCP
UDP
ICMP		collectedRandom Forest (RF)
SVM		89
[17]ARP
ICMP
TCP		IDSAI
Bot-IoT		RF94
[18]UDP
Smurf http
SID
DOS		collectedRF
Naïve Bayesian (NB)
Multilayer Perceptron (MLP)		98
Table 2. Features of Dataset.
Table 2. Features of Dataset.
No.FeatureExplanation
1StreamWe aggregated the packets with different sizes in a stream (8 packet/128 packet/1024 packet).
2Inter-Arrival Time (IAT)Refers to the time elapsed between the arrivals of consecutive packets or data units.
3MeanOffers insight into the central tendency of the data.
4MedianIndicates the typical behavior or size of the network traffic.
5Standard
Deviation		Measures the dispersion or variability of the data points around the mean, helping to gauge the level of fluctuation or stability in the traffic patterns.
6EntropyHigh entropy may indicate a lack of clear structure, potentially reflecting attack attempts that aim to obscure their patterns.
7MinThe min value in each stream.
8MaxThe max value in each stream.
Table 3. Comparison between traditional machine learning algorithms’ performance (A: Accuracy, P: Precision, R: Recall, and F1: F1-score).
Table 3. Comparison between traditional machine learning algorithms’ performance (A: Accuracy, P: Precision, R: Recall, and F1: F1-score).
ModelClassPRF1A
LRICMP66797279
Normal100100100100
Smurf21111410
TCP74847984
Overall65696680
SVM-GSICMP68857584
Normal100100100100
Smurf0000
TCP68809797
Overall59666870
SVM-SMOTEICMP57595478
Normal100100100100
Smurf0000
TCP50976675
Overall52655865
Table 4. Comparison between RNN algorithms’ performance (A: Accuracy, P: Precision, R: Recall, and F1: F1-score).
Table 4. Comparison between RNN algorithms’ performance (A: Accuracy, P: Precision, R: Recall, and F1: F1-score).
ModelClassPRF1A
RNN-
SMOTE		ICMP95939490
Normal88918985
Smurf92949388
TCP84888682
Overall89919086
RNN-
SMOTEGS		ICMP94899297
Normal1009910097
Smurf92959397
TCP971009997
Overall96969697
RNN-
LSTMGS		ICMP49896381
Normal100999981
Smurf00081
TCP821009081
Overall57726381
Table 5. Comparison between DNN algorithms’ performance (A: Accuracy, P: Precision, R: Recall, and F1: F1-score).
Table 5. Comparison between DNN algorithms’ performance (A: Accuracy, P: Precision, R: Recall, and F1: F1-score).
ModelClassPRF1A
DNNICMP33332771
Normal100100100100
Smurf3361018
TCP33293189
Overall50394271
DNN-
SMOTE		ICMP53896789
Normal100999999
Smurf72223322
TCP9310096100
Overall86858385
DNNGSICMP64857389
Normal100999989
Smurf82546589
TCP951009789
Overall85848489
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Terawi, N.; Ashqar, H.I.; Darwish, O.; Alsobeh, A.; Zahariev, P.; Tashtoush, Y. Enhanced Detection of Intrusion Detection System in Cloud Networks Using Time-Aware and Deep Learning Techniques. Computers 2025, 14, 282. https://doi.org/10.3390/computers14070282

AMA Style

Terawi N, Ashqar HI, Darwish O, Alsobeh A, Zahariev P, Tashtoush Y. Enhanced Detection of Intrusion Detection System in Cloud Networks Using Time-Aware and Deep Learning Techniques. Computers. 2025; 14(7):282. https://doi.org/10.3390/computers14070282

Chicago/Turabian Style

Terawi, Nima, Huthaifa I. Ashqar, Omar Darwish, Anas Alsobeh, Plamen Zahariev, and Yahya Tashtoush. 2025. "Enhanced Detection of Intrusion Detection System in Cloud Networks Using Time-Aware and Deep Learning Techniques" Computers 14, no. 7: 282. https://doi.org/10.3390/computers14070282

APA Style

Terawi, N., Ashqar, H. I., Darwish, O., Alsobeh, A., Zahariev, P., & Tashtoush, Y. (2025). Enhanced Detection of Intrusion Detection System in Cloud Networks Using Time-Aware and Deep Learning Techniques. Computers, 14(7), 282. https://doi.org/10.3390/computers14070282

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Article metric data becomes available approximately 24 hours after publication online.
Back to TopTop