Previous Article in Journal
Regulation of Sialidase Biosynthesis by Control Mechanism Induction in Antarctic Strain Penicillium griseofulvum P29
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Sci
Volume 8
Issue 1
10.3390/sci8010020
sci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Cutting-Edge DoS Attack Detection in Drone Networks: Leveraging Machine Learning for Robust Security

by
Albandari Alsumayt
1,*,
Naya Nagy
1,
Shatha Alsharyofi
1,
Resal Alahmadi
1,
Renad Al-Rabie
1,
Roaa Alesse
1,
Noor Alibrahim
1,
Amal Alahmadi
1,
Fatemah H. Alghamedy
2 and
Zeyad Alfawaer
3
1
Saudi Aramco Cybersecurity Chair, Networks and Communications Department, College of Computer Science and Information Technology, Imam Abdulrahman Bin Faisal University, Dammam 31441, Saudi Arabia
2
Computer Science Department, Applied College, Imam Abdulrahman Bin Faisal University, Dammam 31441, Saudi Arabia
3
Science, Technology, and Mathematics Department, Lincoln University of Missouri, Jefferson City, MO 65101, USA
*
Author to whom correspondence should be addressed.
Sci 2026, 8(1), 20; https://doi.org/10.3390/sci8010020
Submission received: 4 November 2025 / Revised: 31 December 2025 / Accepted: 16 January 2026 / Published: 20 January 2026
(This article belongs to the Topic Trends and Prospects in Security, Encryption and Encoding)
Browse Figures
Versions Notes

Abstract

This study aims to enhance the security of unmanned aerial vehicles (UAVs) within the Internet of Drones (IoD) ecosystem by detecting and preventing Denial-of-Service (DoS) attacks. We introduce DroneDefender, a web-based intrusion detection system (IDS) that employs machine learning (ML) techniques to identify anomalous network traffic patterns associated with DoS attacks. The system is evaluated using the CIC-IDS 2018 dataset and utilizes the Random Forest algorithm, optimized with the SMOTEENN technique to tackle dataset imbalance. Our results demonstrate that DroneDefender significantly outperforms traditional IDS solutions, achieving an impressive detection accuracy of 99.93%. Key improvements include reduced latency, enhanced scalability, and a user-friendly graphical interface for network administrators. The innovative aspect of this research lies in the development of an ML-driven, web-based IDS specifically designed for IoD environments. This system provides a reliable, adaptable, and highly accurate method for safeguarding drone operations against evolving cyber threats, thereby bolstering the security and resilience of UAV applications in critical sectors such as emergency services, delivery, and surveillance.

1. Introduction

Drones, or UAVs, have transformed numerous industries, including transportation, industrial inspections, disaster recovery, security, and agriculture, by leveraging IoD technology [1]. UAVs are crucial in package delivery, surveillance, and military operations [2]. However, the increasing reliance on UAVs for critical tasks exposes them to malicious attacks that threaten their confidentiality, integrity, and availability (CIA). Notably, cyberattacks targeting drones include GPS spoofing, malware, unauthorized manipulations, and skyjacking. Among these, DoS attacks pose a significant challenge by compromising the availability of drone services through network overload [3]. Such attacks aim to saturate communication bandwidth, rendering drones incapable of normal operation and inaccessible to legitimate users, severely degrading service quality and jeopardizing public safety.
The IoD environment further complicates security with vulnerabilities related to risks such as data interception, unauthorized access, and privacy infringements [4]. Consequently, there are pressing security concerns associated with UAV operations in Software-Defined Networking (SDN) frameworks, where traditional security measures may be inadequate [5]. Current countermeasures against DoS attacks exhibit limitations, such as high latency, inadequate real-time adaptation, and poor scalability. Furthermore, existing solutions often lack effective response mechanisms to mitigate risks during an attack. To enhance the performance of IDS and bolster the security, reliability, and integrity of UAV operations in critical applications, significant improvements are necessary [6].
Machine learning and deep learning algorithms are increasingly integrated into UAV systems for threat detection and prediction [7]. Several applications harness the synergy between drones and AI techniques [8,9]. However, successful implementation relies on adequate datasets that accurately represent real-world scenarios [9]. This paper proposes a novel intrusion detection system utilizing machine learning to detect and mitigate DoS attacks, extending our previous review [10]. Recent research has also highlighted the efficacy of various machine learning models in identifying DDoS attacks within UAV communication systems, with Random Forest demonstrating superior classification performance [11]. Its ensemble learning capabilities make it particularly suitable for deployment in UAV network security applications, especially given its ability to differentiate effectively between normal and attack instances. While other models, such as XGBoost and Gradient Boosting, showed competitive results, their limitations in recall contributed to higher false negative rates. In contrast, SVM and logistic regression struggled with complex decision boundaries, resulting in lower prediction accuracy.
DoS attacks represent one of the most critical threats, potentially disrupting service availability and compromising essential functions. Cyberattacks targeting contemporary ICT systems like the IoD are increasingly prevalent, with evidence highlighting the risks and repercussions of such incidents. The impact of these attacks can range from integrity issues to significant challenges concerning availability and confidentiality [12]. Therefore, it is crucial to design and implement systems that meet stringent security criteria, including identifying active threats as key countermeasures. IDSs are recognized as effective tools for the prompt detection of these attacks [13]. Despite ongoing advancements, existing IDS solutions for IoD face challenges such as high false positive rates, resource constraints on drones, poor adaptation to evolving attack patterns, and a lack of standardized datasets for evaluation [14]. Comprehensive analyses synthesizing available research are also scarce. Previous studies have reviewed the state-of-the-art in IDS for IoT, emphasizing machine learning model effectiveness and prevailing challenges and future research directions [15].
The motivation for this paper is driven by the insufficient detection and mitigation techniques for DoS attacks targeting UAVs, the significant impact of such attacks on operational capabilities, and associated public safety concerns. This paper’s aim is to contribute significantly to the security and reliability of UAV deployments in critical sectors through our proposed solution.
In summary, the paper is structured as follows: Section 2 provides a literature review of related works. Section 3 details the methodology and proposed system design; Section 4 showcases system interfaces; Section 5 discusses implementation details; Section 6 presents experimental results; and Section 7 addresses professional, ethical, legal, and social implications. Finally, Section 8 concludes the paper and outlines future directions. Figure 1 illustrates the paper organization for each section.

2. Literature Review

This section presents a review of related works identified using the PRISMA method. We searched the Scopus database with the following query: (“detect” AND (“Denial of Service” OR “DoS”) AND (“Internet of Drones” OR “IoD”) AND (“machine learning” OR “ML”). Papers classified as reviews, conference proceedings, or book chapters were excluded, resulting in a total of nine studies for analysis.
One study utilizing the UNSW-NB15 intrusion detection dataset serves as the foundation for training and testing models. It employs two feature selection techniques: singular value decomposition (SVD) and principal component analysis (PCA). The study classifies the modified feature space using various methods, including convolutional neural networks (CNNs), stochastic gradient descent, and ridge regression (RR). Its ability to manage both binary and multiclass classification contributes to its popularity. The results indicate that PCA and SVD significantly enhance the accuracy of classification frameworks, leading to superior performance in intrusion detection systems (IDSs). Notably, the accuracy of the Ridge Regression classifier improved from 98.13% to an exceptional level in binary classification tasks [10].
Another study proposes a cybersecurity architecture for the Internet of Things (IoT) drones. This system employs a voting ensemble of machine learning algorithms, analyzing data from multiple sources, including network information, drones, and sensors, to identify security patterns and detect attacks. Architecture integrates advanced technologies such as machine learning, artificial intelligence, data fusion, and anomaly detection, creating a robust and adaptable security solution. By leveraging sophisticated algorithms, the framework can recognize both known and unexpected threats, facilitating timely responses and mitigation strategies. When tested on a drone dataset, the framework achieved an impressive accuracy rate of 99.89% in real-time cyberattack detection, outperforming previous methods. A dynamically created merged dataset was utilized to evaluate the framework’s performance in terms of accuracy, recall, precision, and F1-score, demonstrating the effectiveness of the RegressionNet model in accurately detecting various types of attacks [11].
A different approach focuses on IoT-based UAV networks, employing machine learning approaches to identify anomalous activity. This research introduces a novel method for leveraging machine learning within flying ad hoc networks (FANETs), which consist of collaborating UAVs, orbiting satellites, and ground-based stations. In this architecture, UAVs collect data, while IoT sensor nodes are deployed on the ground. The cognitive lightweight-LR strategy used in this study effectively balances high accuracy with a reduced rate of false alarms. Performance evaluation is conducted using the UNSW-NB15 dataset, demonstrating the method’s effectiveness in detecting anomalies within the network [16].
Security remains a critical issue across various fields of study today. One approach to identifying potential online attacks is through a FANET-based intrusion detection system (IDS) [2]. A novel algorithm, CSODAE-ID, has been developed and validated for intrusion detection within the Internet of Drones (IoD) environment. Initially, the CSODAE-ID approach preprocesses the data, followed by feature selection using the MDHO-FS method. Intrusions in the IoD domain are then classified using an autoencoder (AE) technique, and hyperparameter tuning is performed with the Crystal Structure Optimization (CSO) algorithm, inspired by crystal lattice formations. The model’s performance is evaluated through extensive simulations, demonstrating a high accuracy of 99.12% and showing that the CSODAE-ID model outperforms contemporary methods.
Fog computing emerges as an innovative solution to enhance networking, computing, and storage capabilities in the Internet of Vehicles (IoVs). However, significant privacy and security risks pose challenges for smart cities. These risks, particularly during information sharing among mobile nodes, create barriers for fog-assisted IoVs (Fa-IoVs). Addressing these security anomalies is essential for the effective network interactions of Fa-IoVs. Ensuring smooth communication in this context reduces the likelihood of data loss, latency, and communication overhead. This study aims to identify research gaps within the Fa-IoVs network and introduces CAaDet (convolutional autoencoder-aided anomaly detection), a dynamic deep learning-based approach to enhance security [3].
Furthermore, another study proposes a novel hybrid detection system for intrusions that utilizes machine learning techniques to manage uneven network traffic data [6]. The algorithms employed include XGBoost, Mini-VGGNet, long short-term memory (LSTM), and AlexNet. The importance of various features for enhancing detection accuracy and interpretability is assessed using the Random Forest Regressor. To ensure the effectiveness of the intrusion detection system (IDS), it is crucial to address the inherent class imbalance present in network data. The proposed method incorporates a combination of undersampling techniques for majority classes and oversampling methods for minority classes during data preparation. This balanced representation of network traffic data enables the IDS to better identify rare or unique intrusions, reducing bias toward the majority class. Feature extraction with the Random Forest Regressor serves dual purposes. It identifies particularly relevant characteristics in system traffic data that are essential for intrusion detection. Additionally, it allows the model to prioritize and focus on these key features during training, thereby enhancing detection accuracy while minimizing computational complexity.
In addition, another method is proposed: a deep learning-based hybrid approach utilizing generative adversarial networks (GANs) to identify malicious intruders [17]. This method features a distributed IDS controller that has been evaluated on the NSL-KDD dataset, demonstrating enhanced effectiveness in detecting Distributed Denial-of-Service (DDoS) attacks. To detect these attacks, experimental results are calculated using predetermined threshold values. The findings indicate that the HD-GAN model achieves superior intrusion detection, characterized by higher precision, recall, reliability, and F-measure, along with a lower false-positive rate (FPR).
Moreover, a study proposes an intrusion detection system (IDS) that employs a group classifier in conjunction with Tuna Swarm Optimization (TSO) to fine-tune hyperparameters and enhance detection accuracy for attacks within an Internet of Things (IoT) context [18]. The publicly available message queue telemetry transport (MQTT) network dataset is utilized to categorize the data into several groups: SlowLoris, malformed, brute force, flood, DoS, and valid. Before balancing the data using the synthetic minority oversampling technique (SMOTE) and conducting feature extraction with recursive feature elimination (RFE), the dataset is initially preprocessed to eliminate potential outliers. Lastly, the optimized parameters obtained through TSO, combined with the ensemble classifier, significantly enhance the detection of IoT attacks, achieving a classification accuracy of 99.12%. Additionally, a study presents a technique utilizing the reinforcement learning-based gradient monitored (RLGM) mechanism to identify jamming attacks [19]. The RLGM approach preserves safe zones and reduces gradient variance, thereby improving the accuracy of the learning objective. Moreover, RLGM selects the precise set of parameters required by the network during the training phase, facilitating rapid training progress. By employing automatically adjusted weights, RLGM generates the foundational deep network structure through spontaneous derivation during training. Our proposed strategy outperforms traditional non-machine learning approaches, such as GA-AOMDV, as well as other reinforcement learning methods, including Federated RL and Deep Q-Learning (DQL).
In 2025, researchers are exploring AI-driven safety and security measures for UAVs, ranging from machine learning to large language models [20]. Furthermore, a hybrid detection system integrating machine learning algorithms such as XGBoost and LSTM is proposed to manage uneven network traffic data. This system addresses class imbalance through undersampling and oversampling techniques, enhancing the detection of rare intrusions [21]. Another study explored machine learning techniques to detect DoS attacks in IoD environments, reviewing various machine learning algorithms, and highlighting their strengths and limitations in securing UAV networks [22]. Another study in 2024 proposes a cybersecurity architecture leveraging machine learning and IoT technologies within the IoD framework, using IoT-enabled sensors to collect and analyze data [23]. Also in 2025, a study introduces a risk-sensitive PPO algorithm and proposes a training framework incorporating multi-head to address challenges in reinforcement learning-based missile evasion algorithms [24,25]. These recent advancements highlight the ongoing efforts to develop robust and efficient security solutions for the evolving landscape of UAV networks.
Recent research continues to emphasize the importance of machine learning in enhancing UAV security. For example, a study from 2024 proposes an autoencoder-based machine learning intrusion detection method for UAV communications, relying on an autoencoder neural network to extract important features from original data, which are then fed to machine learning models for classifying attack types [26]. Another study in 2025 employs traditional ML-based algorithms for detecting DDoS attacks and botnet activity in UAV networks [27]. Furthermore, the cross-layer convolutional attention network (CLCAN) has been introduced as a novel IDS architecture for IoD networks, demonstrating high accuracy (98.4%), recall (98.7%), and F1-score (98.1%) in detecting complex cyber threats [28]. These recent advancements highlight the ongoing efforts to develop robust and efficient security solutions for the evolving landscape of UAV networks. Table 1 summarizes the related works on IDS in IoD.
Based on the bibliometric analysis of publication years and the co-occurrence of authors’ keywords, as illustrated in Figure 2, all selected studies were conducted in 2022 or later. Over the past year, topics related to security within the Internet of Drones (IoD) have gained significant traction. This trend underscores the importance and novelty of this area of research.

3. Methodology and Proposed System Design

3.1. Design Overview

The ML-based IDS should emphasize a user-friendly design. To ensure a positive user experience, the system must be cohesive and easy to navigate. It is essential to develop architecture and components that seamlessly integrate and fulfill all requirements outlined in the Software Requirements Specification (SRS). Furthermore, the system should meet user expectations by providing accurate results and efficient services. By achieving these goals, network administrators will be more inclined to utilize the system whenever necessary, contributing to a secure Internet of Drones (IoD) environment.

3.2. System Model

Figure 3 illustrates our proposed IDS system model, DroneDefender, which operates as follows:
The network administrator logs into the system through the IDS GUI web application and uploads the network traffic collected from the UAV network they manage. The data processing unit utilizes a reliable labeled dataset, CIC-IDS 2018, serving as the knowledge base for the IDS system. The IDS applies to the Random Forest (RF) machine learning algorithm for classification, using selected features relevant to detecting DoS attacks on UAV networks. If a DoS attack is detected, a warning is sent via email, including the source IP address of the attacker and the time of the alert. These alert details are also visible to the administrator in the GUI, and a report of the alerts can be generated upon request. Additionally, the source IP address associated with the DoS attack packets will be added to a blacklist, allowing network administrators to implement mitigation measures. If no DoS attack is detected, no alert is generated, and the packet is ignored.

3.3. Machine Learning Architectural and Design Approach

Within our system, we have chosen Python as the programming language for training machine learning models using Random Forest (RF) algorithms and for developing the web application. The Random Forest (RF) algorithm has consistently shown strong performance in previous UAV/IoD intrusion detection research because of its robustness, resilience against noise, ability to cope with high-dimensional traffic functions, and efficacy with imbalanced datasets. RF is more useful for UAVs and edge-constrained scenarios where delay and resource utilization are crucial, since it offers great accuracy with much less processing overhead than computationally costly deep learning models like LSTM. Furthermore, findings from earlier research show that RF detects DoS assaults on par with or even better than popular classifiers like SVM, KNN, LR, and MLP. In line with these conclusions, our data verify that RF maintains operational viability while offering dependable detection accuracy. Additionally, results from previous studies demonstrate that RF identifies DoS attacks as well as or even better than well-known classifiers like SVM, KNN, LR, and MLP. According to these findings, our results confirm that RF provides reliable detection accuracy while retaining operational viability.
Several Python libraries and frameworks will be effectively employed in constructing the project.
  • Scikit-learn, commonly referred to as sklearn, is a popular Python machine learning package that offers an extensive collection of tools and techniques for a wide range of tasks, including model selection, regression, clustering, dimensionality reduction, and classification.
  • Pandas is a well-known open-source Python library for analyzing and manipulating data. It simplifies working with structured data, such as tabular data and time series, through its robust data structures and operations. Pandas are built on top of NumPy and are frequently used alongside other libraries for tasks such as data analysis and machine learning.
  • NumPy is a core Python package designed for numerical computations. Its powerful array object and array-manipulating functions enable efficient mathematical operations on large datasets. NumPy is widely used in the scientific and data analysis communities.
  • Finally, Matplotlib is a popular Python library for creating interactive, animated, and static visualizations. It provides a wealth of tools for generating various types of plots, including histograms, line graphs, scatter plots, and bar charts, among others.

3.4. Web Application Design Approach

The primary purpose of this web application is to enable the network administrator to utilize the trained machine learning model to analyze, detect, and identify DoS attack patterns within the uploaded UAV network traffic data file, as well as to view the results. The application consists of four straightforward interfaces. The login interface authenticates the provided username and password credentials against the pre-registered admin information stored in the database. The home page displays the uploaded dataset after the feature selection process, allowing administrators to manually analyze the network traffic based on selected features relevant to detecting DoS attack patterns. Additionally, the home page shows the percentages of correct predictions for each class produced by the machine learning model after processing the uploaded data. The Alerts and Blacklisted IPs interface presents tables of generated alerts and blacklisted IPs (source IPs of attackers), respectively.
We utilized Python’s Streamlit and SQLite libraries to build the database of pre-registered admin accounts and to develop the web application. Streamlit, an open-source library, simplifies the creation of web applications using Python scripts, enabling data visualization, user interface development, and integration of machine learning models. This approach streamlines the integration of our trained model with web interfaces, as all code for both the web application and machine learning model development remains within the Python environment. Figure 4 shows a use case diagram that illustrates how the network administrators interact with the IDS GUI interfaces.

4. System Interfaces

The login page, illustrated in Figure 5, requires the administrator to enter their username and password. Upon submitting this information, the system verifies the credentials against the database to authenticate the administrator. If the inputs are correct, the user is redirected to the home page.
The home page, depicted in Figure 6, prompts the administrator to upload the desired dataset for testing and detecting DoS attacks using the model.
After the administrator uploads the dataset and the detection process is completed, the alert page, shown in Figure 7, will display relevant information and send an email to notify the administrator about any suspicious activities. Additionally, it will offer the administrator the option to download a report regarding the incident.
After the administrator uploads the dataset and the detection process is completed, the blacklisted IPs page will be displayed, as shown in Figure 8.

5. Implementation

5.1. Dataset

We utilize a reliable labeled dataset known as the CIC-IDS 2018 dataset [29], which is particularly relevant to UAV networks. Originally intended for analyzing DoS data, this dataset comprises 1,048,575 rows and 80 features in total. Thirteen of these columns were carefully selected using a genetic algorithm (GA) [30] as the key features for distinguishing between benign and DoS packets. Since the values of these selected features are influenced by DoS attacks, they are considered valuable for training our machine learning model. Table 2 lists these features along with their descriptions. The use of this dataset significantly enhanced the accuracy of our machine learning model [31].

5.2. Data Preprocessing

Rows containing at least one missing value were removed, along with any duplicate rows. For the label column, the categories “DoS Attacks-GoldenEye” and “DoS Attacks-Slowloris” were consolidated into a broader category labeled “DoS.” This results in two binary classes: Benign and DoS. For training and testing purposes, the Benign and DoS labels were converted to numeric values of 0 and 1, respectively. Additionally, all features not listed in Table 2 were eliminated. Figure 9 illustrates the distribution of both classes in the original dataset.
We divided the dataset into 70% for training and 30% for testing with a stratified strategy to preserve the original class distribution across training and testing sets, and random state = 42, as it is a commonly adopted setting in machine learning experiments, resulting in 32,649 records in the training set and 13,992 in the testing set. As shown in Figure 10, the two classes are imbalanced. To address this issue, we employed the SMOTEENN technique. SMOTEENN (synthetic minority oversampling technique combined with edited nearest neighbors) is a method used in machine learning to balance imbalanced datasets by generating synthetic samples for the minority class, thereby enhancing model performance and reducing the risk of overfitting. We balanced the minority class while removing the majority class from the training split, which comprised 70% of the original data. The default configuration of SMOTEENN was employed, with random state = 42. Figure 10 illustrates the distribution of both classes in the training dataset after applying SMOTEENN.

5.3. Classification Algorithms

Several ML models were trained including Random Forest, XGBoost, and SVM classifier. Our model training process is outlined as follows:
  • Random Forest classifier is trained based on default hyperparameters and best hyperparameters based on grid search of the RF using SMOTEENN data and original data.
  • XGBoost is trained with the best hyperparameters based on grid search using SMOTEENN data and original data.
To enhance the performance of the ML classifiers, we employ the grid search method.
This approach constructs a pipeline that includes the selected ML classifier and applies grid search to explore various combinations of hyperparameters. The objective is to identify the set of hyperparameters that maximizes model performance as shown in Table 3. Cross-validation is utilized to evaluate each parameter combination’s performance. Ultimately, the process returns an optimized Random Forest classifier for further analysis or predictions.

6. Experiment Evaluation and Testing

6.1. Machine Learning Model Evaluation

The measurable metrics used to assess a model’s performance include the confusion matrix, accuracy, recall, precision, and F1-score. These metrics evaluate the effectiveness of specific features of the model.
The CIC-IDS2018 dataset was first cleaned, duplicates were eliminated, labels were combined into binary classes, and only the 13 GA-selected DoS-relevant characteristics were kept in order to make the assessment process more understandable. In order to maintain the original class distribution, the dataset was subsequently split into 70% training and 30% testing using a stratified split (random state = 42). Crucially, SMOTEENN was limited to the training phase, guaranteeing that the test set did not contain any artificial samples or resampled data. Grid search with cross-validation was used to optimize the model solely on the training data in order to reduce overfitting. The completed model was then assessed once on the unaltered test split. Together, these actions end due to optimistic bias and data leakage. Although the resultant near-perfect performance might seem abnormally high, it is compatible with (i) the categorization into setting, (ii) the exceptional discriminative strength of the chosen features, and (iii) Random Forest’s aptitude for this sort of dataset—a pattern that has also been seen in previous publications.
Confusion Matrix: This table represents the model’s performance on a test dataset with known true values. It allows observation of the model’s accuracy by displaying the number of true and false predictions in a four-cell layout: true positives (TP), true negatives (TN), false positives (FP), and false negatives (FN), as shown in Table 4.
Accuracy: This metric indicates the overall accuracy of the model, calculated by dividing the total number of true predictions by the total number of observations.
Accuracy = (True Positives (TP) + True Negatives (TN))/Total Observations
Table 5 presents a comparison of the performance metrics for various versions of Random Forest (RF) and XGBoost models. It evaluates the effects of using default model parameters versus optimized “best” parameters, as well as the impact of the SMOTEENN data preprocessing technique. The key findings are as follows:
  • The basic RF model using default parameters and the original dataset achieved an impressive testing accuracy of 99.99%, with perfect scores of 100% for recall, precision, and F1-score.
  • When the same basic RF model was trained on the SMOTEENN preprocessed data, the testing accuracy slightly decreased to 99.92%, while recall, precision, and F1-score remained at the perfect 100% level.
  • The optimized RF model with the best parameters, when trained on the original data, maintained a high testing accuracy of 99.99% and perfect scores across all other metrics.
  • Similarly, the optimized RF model with the best parameters, using the SMOTEENN preprocessed data, exhibited a testing accuracy of 99.93% and perfect 100% scores for recall, precision, and F1-score.
  • The results of the optimized XGBoost model with the best parameter results of the original data and SMOTEENN are very similar.
Figure 11, Figure 12, Figure 13 and Figure 14 depict the actual versus predicted values for the model under different conditions. The first two plots (Figure 11 and Figure 12) showcase the basic RF model without parameter optimization, utilizing the SMOTEENN preprocessed data and the original dataset, respectively. The basic model has difficulty accurately predicting the minority class when trained on the original data, but its performance shows improvement when trained on the SMOTEENN data.
Figure 15 and Figure 16 illustrate the optimized RF model with the best parameter settings, using both the original dataset and the SMOTEENN preprocessed data. The optimized model shows a better alignment between actual and predicted values, particularly when trained on the SMOTEENN data. This trend indicates that both parameter optimization and the application of the SMOTEENN data preprocessing technique can enhance the performance of the Random Forest classifier. The optimized model with SMOTEENN data demonstrates the most balanced and accurate predictions, underscoring the significance of model tuning and data preparation in improving the effectiveness of machine learning models. Additionally, we achieved a higher accuracy rate than reported in the paper [31], which noted an accuracy of 96.2%. Our work utilized the same dataset and algorithm, Random Forest, highlighting the improvements made.

6.2. Website System Test

In this section, we discuss the objectives of the testing plan, along with its background, methodology, and scope. We also identify the features of DroneDefender that will undergo testing. The plan encompasses the testing approach, pass/fail criteria, testing processes, activities, cases, responsibilities, requirements, and resources.
The primary goal of the testing plan is to verify that DroneDefender meets all functional requirements while ensuring that the website provides a user-friendly interface for network administrators. It is essential that only pre-registered network administrators log onto the website, and that the machine learning model accurately processes the uploaded data. Additionally, the results generated by the model must be correctly displayed on the web interfaces, and the alerts of reports should contain accurate and sufficient information. Ultimately, the plan aims to ensure that DroneDefender successfully passes all testing activities.
Testing will cover user functions, such as logging into DroneDefender, successfully uploading network traffic data files, viewing blacklisted IPs, and extracting alert reports. It will also address system functions, including the validation of login credentials, confirmation that uploaded files are in the correct CSV format, processing of the uploaded data, sending email alerts to the main administrator in the event of detected DoS attacks, and displaying the required information on the website’s pages, including Home, Alerts, and Blacklisted IPs.
The website development code will be thoroughly reviewed to confirm that DroneDefender is prepared for deployment in a production environment. This review will encompass all front-end functionalities, including the operation of buttons and user input for logging in and uploading files. Additionally, all code related to various functions will be assessed, from the network administrator’s login process to the display of results generated by the machine learning model, as well as the sending of alert emails and the extraction of alert reports. Each aspect will be checked against the required outcomes to ensure full functionality and readiness.
The features of DroneDefender that will be tested include the following: the network administrator login process, which restricts access to only pre-registered admins saved in the database; the successful uploading of files in the correct format; and the detection of DoS attacks through integration with the trained machine learning model. Additionally, the machine learning model must demonstrate acceptable results and accuracy. Timely email alerts should be generated in the event of a DoS attack detection, and the source IP addresses of such attacks must be displayed on the “Blacklisted IPs” page. Finally, the system should allow logged-in network administrators to generate and extract alert reports as needed.
Component Testing: Every area of the system will be tested individually, including admin login, uploading network data traffic, DoS attack detection, the accuracy of results from the machine learning model, and alert report generation. Following this, integration testing will combine the system components.
The testing technique will involve providing the tested components with both valid and invalid data to ensure that appropriate inputs yield relevant results, while also displaying error messages for incorrect login credentials or inappropriate file types. The completion criteria stipulate that each component must function as intended and handle errors appropriately.
The system testing approaches are as follows:
  • Integration Testing: Once individual component testing is complete, integration testing will be conducted by gradually merging the components and evaluating their interactions. The primary objective of this testing phase is to ensure successful integration and verify that the system interfaces are properly linked with the database tables of pre-registered network admins and the machine learning model.
  • Performance Testing: DroneDefender must operate as expected, without interruptions that could disrupt functionality. The system should upload a dataset from the user and process it to produce accurate results. To test DroneDefender’s performance, the dataset will be uploaded for processing by the machine learning model to detect suspicious behavior in network traffic, leading to the generation of alerts and blacklisting of suspicious IP addresses.
  • Interface Testing: The web interfaces of DroneDefender will be evaluated to ensure they function correctly and communicate effectively with the intended network administrator. This testing will confirm that the interfaces are user-friendly, clear, and easy to navigate.
  • Security Testing: Security measures will be put in place to ensure that passwords and sensitive information are neither hardcoded in the code nor visible in the database. All network administrator passwords will be salted, hashed, and securely stored in the database table for admins.

6.3. Test Cases

The testing environment can operate on any PC or laptop with suitable hardware. The software requirements include several Python packages: Pandas 2.1.x, SQLite3.42.0, NumPy 1.26.4, VSCode, Streamlit 1.38.0, Matplotlib 3.8, and hashlib 3.1.
During the implementation phase, a comprehensive software testing plan must be developed alongside the system functionalities. After the testing procedures are completed as shown in Table 6 and Table 7, the system should align with user needs. Ultimately, team members will have the opportunity to showcase their work and provide detailed insights into the system’s features for those interested in protecting their UAVs from DoS attacks as shown in Table 8 and Table 9. The testing tasks include the following:
  • Setting up the hardware environment.
  • Preparing for the software environment.
  • Conducting test cases.
  • Troubleshooting testing errors.
  • Maintaining the system consistently.
Table 6. Network administrator login’s test case.
Table 6. Network administrator login’s test case.
Test CaseNetwork Administrator Login
Pre-requisite
  • The user must be previously registered as a network administrator with a username and password in the database.
Test Procedure
  • Access DroneDefender web application.
  • Fill in the username and password fields.
  • Press the “Login” button.
  • In case of an invalid login credential, an error message is displayed.
  • Complete the log-in process, as shown in Figure 16.
Expected Result
  • If the username and password are provided correctly (match those found in the database), the admin will be allowed into the application and ready to import the network traffic data file on the home page.
Table 7. Network traffic data file upload’s test case.
Table 7. Network traffic data file upload’s test case.
Test CaseUpload Network Traffic Data
Pre-requisite
  • The user must be authorized and have the network traffic data in the correct CSV format.
Test Procedure
  • Select to upload a file, as shown in Figure 17.
  • Choose the desired file to upload.
  • Verify that the file is uploaded in the correct format.
  • Show error message if no file is uploaded or if the format is incorrect (system only accepts CSV).
Expected Result
  • A message indicating successful file upload will be displayed, and a bar chart graph of the packet counts for each IP address found in the input file will be shown, as in Figure 18.
Sci 08 00020 g017
Figure 17. After uploading the traffic data interface.
Figure 17. After uploading the traffic data interface.
Sci 08 00020 g017
Sci 08 00020 g018
Figure 18. Home page with correct predictions.
Figure 18. Home page with correct predictions.
Sci 08 00020 g018
Table 8. DoS attack detection’s test case.
Table 8. DoS attack detection’s test case.
Test CaseDoS Attack Detection
Pre-requisite
  • A pre-uploaded network traffic CSV file.
Test Procedure
  • The uploaded file is sent to the trained ML model.
  • The ML model processes and detects DoS attack patterns.
  • The ML prediction results of each class (Benign, DoS) are obtained from the model.
Expected Result
  • The percentages of correct predictions in each class (Benign, DoS) will be displayed for the network administrator on the home page (as shown in Figure 19).
  • A version of the uploaded file (after feature selection and removal of unnecessary columns) will be displayed on the admin homepage (as shown in Figure 19).
Sci 08 00020 g019
Figure 19. Home page with uploaded file after feature selection.
Figure 19. Home page with uploaded file after feature selection.
Sci 08 00020 g019
Table 9. Alert generation and report extraction’s test case.
Table 9. Alert generation and report extraction’s test case.
Test CaseAlert Generation
Pre-requisite
  • A processed network data file by the trained ML model
Test Procedure
  • Enter the “Alerts” page (as shown in Figure 7).
  • Ensure an alert email is sent if the ML model detects a DoS attack pattern in the uploaded file.
Expected Result
  • Emails with alert details (DoS attack detection) are automatically sent.
  • A table displaying suspicious activity, source IP address, and alert date/time is shown on the “Alerts” page.
  • The admin can generate a CSV report of the alerts (as shown in Figure 20).
Sci 08 00020 g020
Figure 20. Downloaded CSV file.
Figure 20. Downloaded CSV file.
Sci 08 00020 g020

6.4. Real-Time Deployment and System Feasibility

  • Real-Time Operation and Latency:
    Using a standard edge-computing environment similar to UAV ground stations (Intel i7, 16 GB RAM; Raspberry Pi-class evaluation underway), we assessed the trained Random Forest model. Processing in real-time under DoS attack situations is made possible by the model’s typical inference latency of 2.4–4.1 ms per flow. These metrics have been included, and the buffering delay-free processing of streamed packet batches has been made clear.
  • Resource Consumption & Processing Overhead:
    We tracked CPU usage and model footprint. The model is suitable for lightweight ground nodes or fog/edge gateways rather than taxing UAV onboard systems because it requires less than 35 MB of memory, and CPU utilization stays below 18% at peak detection load. These findings are now stated clearly.
  • Deployment Model Clarification:
    The proposed deployment architecture is now stated in unambiguous terms: By evaluating UAV traffic at the ground station/controller or fog gateway, DroneDefender functions as a lightweight edge-layer intrusion detection system (IDS) that avoids UAV onboard computing limits while guaranteeing real-time security response capabilities.

7. Professional, Ethical, Legal, and Social Implications and Business Continuity Strategies

7.1. Professional, Ethical, Legal, and Social Implications

In this pivotal section, we explore the profound implications and intricate security considerations surrounding our system, delving into the professional, ethical, legal, and social dimensions of our work.
  • Professional Implications: In the realm of detecting Denial-of-Service (DoS) attacks within the Internet of Drones (IoD) using machine learning, the professional implications are significant. Our project aims to enhance cybersecurity measures within the IoD framework, attract skilled professionals, and foster trust among stakeholders. Implementing effective business continuity strategies is crucial for project success, requiring meticulous planning and coordination to mitigate disruptions and maintain operational integrity.
  • Ethical Considerations: Ethically, our project highlights the responsibility to protect the integrity and security of IoD systems. By utilizing machine learning algorithms to detect DoS attacks, we demonstrate a commitment to ethical data practices and prioritize user information protection. Transparency, inclusivity, and ethical considerations guide our approach, ensuring the project’s impact aligns with societal values and respects individual privacy rights.
  • Legal Compliance: Legally, our project must comply with various regulations governing cybersecurity, data protection, and drone operations. Adhering to cybersecurity standards is essential to mitigate legal risks and ensure regulatory compliance. Protecting sensitive data and following ethical data practices are vital to avoid legal liabilities and maintain the project’s integrity within the legal framework.
  • Social Impact: Socially, our project enhances the security and resilience of IoD networks, fostering public trust and promoting the widespread adoption of drone technology. By detecting and mitigating DoS attacks, we safeguard critical infrastructure and protect against potential disruptions, creating a safer and more reliable IoD ecosystem. Clear communication, stakeholder engagement, and proactive risk management are integral to addressing societal concerns and maximizing the project’s positive impact.

7.2. Security Risk and Solution

It is common for a system to encounter various security risks, as no system is entirely immune to potential threats. The following sections will explore specific security concerns along with their corresponding remedies.
  • Security Risk: In safeguarding DroneDefender, we have implemented measures to mitigate potential risks associated with its development and use. Identified risks include inaccurate identification of DoS attack patterns and the possibility of privilege escalation, where ordinary users could gain administrator privileges. By addressing these and other security concerns, we have proactively worked to minimize threats to the integrity of DroneDefender and ensure its effectiveness in achieving its objectives.
  • Solutions for the Risks: To tackle these challenges, we have implemented several solutions. Firstly, we enhanced dataset preprocessing by employing advanced techniques to improve the model’s robustness and accuracy. Additionally, we developed rigorous testing procedures to assess the model’s performance under various conditions. Secondly, we introduced an authentication stage that requires administrator credentials for system access. These solutions effectively resolve the issues, enabling the system to operate seamlessly.
  • Impact of data and software in the solution: the DroneDefender effectively detects DoS attack patterns on IoD networks. Extensive testing has demonstrated its efficacy in identifying these attacks, thereby strengthening the security of IoD networks. Furthermore, the system features a user-friendly interface, simplifying network management and monitoring.

8. Conclusions

This paper has made significant contributions to the fields of cybersecurity and machine learning by developing an integrated system capable of accurately identifying DoS attack patterns on IoD networks. Through comprehensive testing and evaluation, we have demonstrated the system’s effectiveness in detecting and mitigating these attacks, thereby strengthening the security posture of IoD networks. We achieved an impressive 99.93% accuracy using the Random Forest algorithm with an optimized model, following the balancing of the CIC-IDS 2018 dataset through the SMOTEENN method, as detailed in [31].
Despite being a widely recognized benchmark for assessing DoS detection, CIC-IDS2018 is still a generic wired network traffic dataset compared to one collected directly from UAV or IoD environments. Consequently, it effectively captures a variety of network-layer attack behaviors, packet-flow dynamics, and DoS traffic features that are also relevant to UAV communication. However, it falls short in addressing some aspects unique to UAVs, such as dynamic mobility architecture changes, intermittent connectivity, wireless link fluctuations, and transmission constraints related to drones. Therefore, although our findings indicate that the proposed model has substantial detection capability, they should be regarded as proof of feasibility rather than a complete substitute for actual IoD operational testing.
In order to further enhance realism and UAV specificity, future work will focus on evaluating the model using drone-generated traffic or IoD-specific datasets and incorporating wireless-layer and mobility-aware features. Looking ahead, several opportunities for boosting effectiveness and expanding impact arise. Firstly, exploring additional machine learning algorithms and techniques tailored to the distinctive characteristics of IoD networks could further enhance our model’s accuracy and efficiency in detecting DoS attacks. Additionally, conducting more comprehensive testing in diverse real-world environments, including field trials with UAV networks, would provide valuable insights into the model’s performance under varying conditions.
In order to facilitate continuous analysis of UAV traffic streams instead of relying solely on batch-uploaded data, a key approach is to adjust the system for live or near real-time monitoring. Optimizing the model for low memory consumption, reduced latency, and rapid processing will be essential to ensure practicality on integrated or lightweight gateway devices, since many IoD systems operate on resource-constrained edge or fog nodes in actual deployments. Additionally, incorporating other UAV-relevant threats into the current DoS-focused design—such as spoofing, hacking, man-in-the-middle attacks, and shifting anomalous behaviors—will enhance it and bolster its defensive capabilities. To further bridge the gap between experimental evaluation and real-world IoD deployment, it remains important to validate the system using IoD-specific or UAV-provided datasets and, ultimately, field trials.
Integrating anomaly detection mechanisms and reinforcement learning strategies could bolster the model’s adaptability to shifting threat landscapes. Finally, ongoing monitoring and updating of the model based on emerging threat intelligence and evolving attack vectors are crucial to ensure its long-term relevance and effectiveness in protecting IoD networks against DoS attacks.

Author Contributions

Conceptualization, A.A. (Albandari Alsunayt); methodology, A.A. (Albandari Alsunayt) and F.H.A.; software, S.A., R.A. (Resal Alahmadi), R.A.-R., R.A. (Roaa Alesse) and N.A.; validation, Z.A., A.A. (Albandari Alsunayt), A.A. (Amal Alahnadi), N.N. and F.H.A.; formal analysis, A.A. (Albandari Alsunayt), N.N. and A.A. (Amal Alahnadi); investigation, S.A., R.A. (Resal Alahmadi), R.A.-R., R.A. (Roaa Alesse) and N.A.; resources, S.A., R.A. (Resal Alahmadi), R.A.-R., R.A. (Roaa Alesse) and N.A.; data curation, S.A., R.A. (Resal Alahmadi), R.A.-R., R.A. (Roaa Alesse) and N.A.; writing—original draft preparation, Z.A., S.A., R.A. (Resal Alahmadi), R.A.-R., R.A. (Roaa Alesse) and N.A.; writing—review and editing, Z.A., A.A. (Amal Alahnadi), N.N. and F.H.A.; visualization, S.A., R.A. (Resal Alahmadi), R.A.-R., R.A. (Roaa Alesse) and N.A.; supervision, A.A. (Albandari Alsunayt) and N.N.; project administration, A.A. (Albandari Alsunayt). All authors have read and agreed to the published version of the manuscript.

Funding

We would like to thank the Saudi ARAMCO Cybersecurity Chair for funding this project.

Data Availability Statement

The dataset used during the current study is available publicly.

Conflicts of Interest

The authors declare no competing interests.

Abbreviations

The following abbreviations are used in this manuscript:
DoSDenial of Service
GUIGraphical User Interface
IoDInternet of Drones
IDSIntrusion Detection System
MLMachine Learning
RFRandom Forest
UAVsUnmanned Aerial Vehicles

References

  1. Zeng, Y.; Wu, Q.; Zhang, R. Accessing from the sky: A tutorial on uav communications for 5g and beyond. Proc. IEEE 2019, 107, 2327–2375. [Google Scholar] [CrossRef]
  2. Alissa, K.A.; Alotaibi, S.S.; Alrayes, F.S.; Aljebreen, M.; Alazwari, S.; Alshahrani, H.; Ahmed Elfaki, M.; Othman, M.; Motwakel, A. Crystal structure optimization with deep-autoencoder-based intrusion detection for secure internet of drones’ environment. Drones 2022, 6, 297. [Google Scholar] [CrossRef]
  3. Yaqoob, S.; Hussain, A.; Subhan, F.; Pappalardo, G.; Awais, M. Deep learning-based anomaly detection for fog-assisted iovs network. IEEE Access 2023, 11, 19024–19038. [Google Scholar] [CrossRef]
  4. Subbarayalu, V.; Vensuslaus, M.A. An intrusion detection system for drone swarming utilizing timed probabilistic automata. Drones 2023, 7, 248. [Google Scholar] [CrossRef]
  5. Buchelt, A.; Adrowitzer, A.; Kieseberg, P.; Gollob, C.; Nothdurft, A.; Eresheim, S.; Tschiatschek, S.; Stampfer, K.; Holzinger, A. Exploring artificial intelligence for applications of drones in forest ecology and management. For. Ecol. Manag. 2024, 551, 121530. [Google Scholar] [CrossRef]
  6. Pavithra, S.; Venkata Vikas, K. Detecting unbalanced network traffic intrusions with deep learning. IEEE Access 2024, 12, 74096–74107. [Google Scholar] [CrossRef]
  7. Sucharitha, Y.; Reddy, P.C.S.; Suryanarayana, G. Network intrusion detection of drones using recurrent neural networks. In Drone Technology: Future Trends and Practical Applications; John Wiley & Sons, Inc.: Hoboken, NJ, USA, 2023; Chapter 15; pp. 375–392. [Google Scholar] [CrossRef]
  8. Ouiazzane, S.; Addou, M.; Barramou, F. Dos and ddos cyberthreats detection in drone networks. In Advances in Intelligent System and Smart Technologies; Gherabi, N., Awad, A.I., Nayyar, A., Bahaj, M., Eds.; Springer: Cham, Switzerland, 2024; pp. 109–119. [Google Scholar]
  9. Rostami, M.; Farajollahi, A.; Parvin, H. Deep learning-based face detection and recognition on drones. J. Ambient. Intell. Humaniz. Comput. 2024, 15, 373–387. [Google Scholar] [CrossRef]
  10. Abed, R.A.; Hamza, E.K.; Humaidi, A.J. A modified cnn-ids model for enhancing the efficacy of intrusion detection system. Meas. Sens. 2024, 35, 101299. [Google Scholar] [CrossRef]
  11. Alturki, N.; Aljrees, T.; Umer, M.; Ishaq, A.; Alsubai, S.; Saidani, O.; Djuraev, S.; Ashraf, I. An intelligent framework for cyber–physical satellite system and iot-aided aerial vehicle security threat detection. Sensors 2023, 23, 7154. [Google Scholar] [CrossRef] [PubMed]
  12. Titu, M.F.S.; Pavel, M.A.; Michael, G.K.O.; Babar, H.; Aman, U.; Khan, R. Real-time fire detection: Integrating lightweight deep learning models on drones with edge computing. Drones 2024, 8, 483. [Google Scholar] [CrossRef]
  13. Kucukayan, G.; Karacan, H. Yolo-ihd: Improved real-time human detection system for indoor drones. Sensors 2024, 24, 922. [Google Scholar] [CrossRef]
  14. Tran, T.M.; Vu, T.N.; Nguyen, T.V.; Nguyen, K. Uit-adrone: A novel drone dataset for traffic anomaly detection. IEEE J. Sel. Top. Appl. Earth Obs. Remote Sens. 2023, 16, 5590–5601. [Google Scholar] [CrossRef]
  15. Alsumayt, A.; Nagy, N.; Alsharyofi, S.; Al Ibrahim, N.; Al-Rabie, R.; Alahmadi, R.; Alesse, R.A.; Alahmadi, A.A. Detecting denial of service attacks (DoS) over the internet of drones (IoD) based on machine learning. Sci 2024, 6, 56. [Google Scholar] [CrossRef]
  16. Rahman, K.; Aziz, M.A.; Usman, N.; Kiren, T.; Cheema, T.A.; Shoukat, H.; Bhatia, T.K.; Abdollahi, A.; Sajid, A. Cognitive lightweight logistic regression-based ids for iot-enabled fanet to detect cyberattacks. Mob. Inf. Syst. 2023, 2023, 7690322. [Google Scholar] [CrossRef]
  17. Balaji, S.; Sankaranarayanan, S. Hybrid deep-generative adversarial network-based intrusion detection model for internet of things using binary particle swarm optimization. Int. J. Electr. Electron. Res. 2022, 10, 948–953. [Google Scholar]
  18. Vijayan, P.; Sundar, S. Original research article iot intrusion detection system using ensemble classifier and hyperparameter optimization using tuna search algorithm. J. Auton. Intell. 2024, 7, 1–10. [Google Scholar] [CrossRef]
  19. Ghelani, J.; Gharia, P.; El-Ocla, H. Gradient monitored reinforcement learning for jamming attack detection in fanets. IEEE Access 2024, 12, 23081–23095. [Google Scholar] [CrossRef]
  20. Yang, Z.; Zhang, Y.; Zeng, J.; Yang, Y.; Jia, Y.; Song, H.; Lv, T.; Sun, Q.; An, J. AI-Driven Safety and Security for UAVs: From Machine Learning to Large Language Models. Drones 2025, 9, 392. [Google Scholar] [CrossRef]
  21. Mahdi, Z.; Abdalhussien, N.; Mahmood, N.; Zaki, R. Detection of Real-Time Distributed Denial-of-Service (DDoS) Attacks on Internet of Things (IoT) Networks Using Machine Learning Algorithms. Comput. Mater. Contin. 2024, 80, 2139–2159. [Google Scholar] [CrossRef]
  22. Chukwukelu, G.; Essien, A.; Salami, A.I.; Utuk, E. Comparative Analysis of Machine Learning Techniques for DDoS Intrusion Detection in IoT Environments. In Proceedings of the ICSBT International Conference on Smart Business Technologies; Science and Technology Publications, Lda: Setúbal, Portugal, 2024; pp. 19–27. [Google Scholar] [CrossRef]
  23. Adewuyi, A.; Oladele, A.A.; Enyiorji, P.U.; Ajayi, O.O.; Tsambatare, T.E.; Oloke, K.; Abijo, I. The convergence of cybersecurity, Internet of Things (IoT), and data analytics: Safeguarding smart ecosystems. World J. Adv. Res. Rev. 2024, 23, 379–394. [Google Scholar] [CrossRef]
  24. Yan, M.; Yang, R.; Zhang, Y.; Yue, L.; Hu, D. A hierarchical reinforcement learning method for missile evasion and guidance. Sci. Rep. 2022, 12, 18888. [Google Scholar] [CrossRef] [PubMed]
  25. Liu, T.; Wang, F.; Li, P. Intelligent Penetration Guidance for Hypersonic Missiles via Reinforcement Learning and Optimal Control. Preprints 2025. [Google Scholar] [CrossRef]
  26. Vuong, T.C.; Nguyen, C.C.; Pham, V.C.; Le, T.T.H.; Tran, X.N.; Van Luong, T. Effective Intrusion Detection for UAV Communications using Autoencoder-based Feature Extraction and Machine Learning Approach. arXiv 2024, arXiv:2410.02827. [Google Scholar]
  27. Ceviz, O.; Sadioglu, P.; Sen, S.; Vassilakis, V.G. A novel federated learning-based IDS for enhancing UAVs privacy and security. Internet Things 2025, 31, 101592. [Google Scholar] [CrossRef]
  28. Aldossary, M.; Alzamil, I.; Almutairi, J. Enhanced Intrusion Detection in Drone Networks: A Cross-Layer Convolutional Attention Approach for Drone-to-Drone and Drone-to-Base Station Communications. Drones 2025, 9, 46. [Google Scholar] [CrossRef]
  29. University of New Brunswick. A Realistic Cyber Defence Dataset (CSE-CIC-IDS2018). 2024. Available online: https://registry.opendata.aws/cse-cic-ids2018/ (accessed on 30 October 2024).
  30. Altulaihan, E.; Almaiah, M.A.; Aljughaiman, A. Anomaly detection ids for detecting dos attacks in iot networks based on machine learning algorithms. Sensors 2024, 24, 713. [Google Scholar] [CrossRef] [PubMed]
  31. Mehmood, R.T.; Ahmed, G.; Siddiqui, S. Simulating ml-based intrusion detection system for unmanned aerial vehicles (uavs) using cooja simulator. In Proceedings of the 2022 16th International Conference on Open Source Systems and Technologies (ICOSST), Lahore, Pakistan, 14–16 December 2022; pp. 1–10. [Google Scholar] [CrossRef]
Sci 08 00020 g001
Figure 1. Paper organization.
Figure 1. Paper organization.
Sci 08 00020 g001
Sci 08 00020 g002
Figure 2. The bibliometric analysis of published years and the co-occurrence of the author’s keywords.
Figure 2. The bibliometric analysis of published years and the co-occurrence of the author’s keywords.
Sci 08 00020 g002
Sci 08 00020 g003
Figure 3. DroneDefender’s UAV IDS system model.
Figure 3. DroneDefender’s UAV IDS system model.
Sci 08 00020 g003
Sci 08 00020 g004
Figure 4. DroneDefender’s UAV IDS use case diagram.
Figure 4. DroneDefender’s UAV IDS use case diagram.
Sci 08 00020 g004
Sci 08 00020 g005
Figure 5. System login page.
Figure 5. System login page.
Sci 08 00020 g005
Sci 08 00020 g006
Figure 6. System home page.
Figure 6. System home page.
Sci 08 00020 g006
Sci 08 00020 g007
Figure 7. System alert page.
Figure 7. System alert page.
Sci 08 00020 g007
Sci 08 00020 g008
Figure 8. Blacklisted IPs page.
Figure 8. Blacklisted IPs page.
Sci 08 00020 g008
Sci 08 00020 g009
Figure 9. The distribution of both classes in the original dataset.
Figure 9. The distribution of both classes in the original dataset.
Sci 08 00020 g009
Sci 08 00020 g010
Figure 10. The distribution of both classes in the training dataset after applying SMOTEENN.
Figure 10. The distribution of both classes in the training dataset after applying SMOTEENN.
Sci 08 00020 g010
Sci 08 00020 g011
Figure 11. The confusion matrix of the Basic model with the original dataset.
Figure 11. The confusion matrix of the Basic model with the original dataset.
Sci 08 00020 g011
Sci 08 00020 g012
Figure 12. The confusion matrix of the Basic model with the SMOTEENN dataset.
Figure 12. The confusion matrix of the Basic model with the SMOTEENN dataset.
Sci 08 00020 g012
Sci 08 00020 g013
Figure 13. The confusion matrix of the optimized model with the original dataset.
Figure 13. The confusion matrix of the optimized model with the original dataset.
Sci 08 00020 g013
Sci 08 00020 g014
Figure 14. The confusion matrix of the optimized model with the SMOTEENN dataset.
Figure 14. The confusion matrix of the optimized model with the SMOTEENN dataset.
Sci 08 00020 g014
Sci 08 00020 g015
Figure 15. The interface in the case of invalid login.
Figure 15. The interface in the case of invalid login.
Sci 08 00020 g015
Sci 08 00020 g016
Figure 16. Before uploading the traffic data interface.
Figure 16. Before uploading the traffic data interface.
Sci 08 00020 g016
Table 1. Summary of related works on intrusion detection systems in Internet of Drones (IoD).
Table 1. Summary of related works on intrusion detection systems in Internet of Drones (IoD).
StudyFocusMethodologyKey Findings
[10]Intrusion Detection ModelsUsing the UNSW-NB15 dataset with SVD and PCA for feature selectionImproved accuracy in binary classification, with Ridge Regression achieving up to 98.13% accuracy.
[11]Cybersecurity Architecture for IoT DronesVoting ensemble of ML algorithms for data fusionAchieved 99.89% accuracy in real-time cyberattack detection.
[16]Anomalous Activity Detection in UAV NetworksCognitive lightweight-LR strategy and UNSW-NB15 datasetEffective in detecting anomalies, balancing high accuracy with low false alarms.
[2]FANET-Based IDSCSODAE-ID algorithm with MDHO-FS and AutoencoderHigh accuracy of 99.12% in intrusion detection within IoD.
[3]Fog Computing SecurityCAaDet for anomaly detectionAddressing security anomalies for fog-assisted IoVs.
[6]Hybrid Detection SystemTechniques include XGBoost, Mini-VGGNet, LSTMImproved detection accuracy by addressing class imbalance in network traffic data.
[17]Deep Learning-Based Hybrid ApproachGANs for anomaly detectionSuperior detection of DDoS attacks, with reduced false-positive rates.
[18]Group Classifier with OptimizationTuna Swarm Optimization and MQTT datasetAchieved classification accuracy of 99.12% for IoT attacks.
[19]Reinforcement Learning MechanismRLGM for jamming attack detectionOutperforms traditional methods and enhances efficiency in training.
Table 2. Description of the selected features.
Table 2. Description of the selected features.
Feature NameDescription
DstPortDestination port number.
TotBwdPktsTotal packets in the backward direction.
TotFwdPktsTotal packets in the forward direction.
FlowIATMeanMean time between two packets sent in the forward direction.
BwdIATStdStandard deviation time between two packets sent in the backward direction.
FwdPktLenMaxThe maximum size of the packet is in the forward direction.
BwdURGFlagsThe frequency with which packets move rearward has the URG flag set.
URGFlagCntNumber of URG packets.
SYNFlagCntNumber of SYN packets.
IdleMaxThe maximum time the flow was idle.
IdleMeanMean time the flow was idle.
Down/UpRatioDownload and upload ratio.
Table 3. Hyperparameters’ search space values and optimal values.
Table 3. Hyperparameters’ search space values and optimal values.
ModelHyperparametersSearch Space ValuesOptimal Values (Original Dataset)Optimal Value (with SMOTEENN)
RFmax_depth[None, 20, 30]2020
max_features[‘sqrt’, ‘log2’, None]‘sqrt’‘sqrt’
min_samples_leaf[1, 2]11
min_samples_split[2, 5]1010
n_estimators[200, 300]200200
XGBoostcolsample_bytree[0.8, 1.0]0.81.0
gamma[0, 0.5]00.5
learning_rate[0.05, 0.1]77
max_depth[3, 5, 7]0.10.1
min_child_weigh[1, 5]11
n_estimators[200, 400]400400
reg_lambda[1, 5]11
subsample[0.8, 1.0]1.00.8
Table 4. Confusion matrix table.
Table 4. Confusion matrix table.
Predicted PositivePredicted Negative
Actual PositiveTrue Positive (TP)False Negative (FN)
Actual NegativeFalse Positive (FP)True Negative (TN)
Table 5. The results with different parameters and dataset settings.
Table 5. The results with different parameters and dataset settings.
ClassifierParametersDataAccuracyRecallPrecisionF1-Score
RFDefault parametersOriginal99.99%100%100%100%
RFDefault parametersSMOTEENN99.92%100%100%100%
RFBest parametersOriginal99.99%100%100%100%
RFBest parametersSMOTEENN99.93%100%100%100%
XGBoostBest parametersOriginal99.96%99.72%99.69%99.71%
XGBoostBest parametersSMOTEENN99.96%99.97%99.49%99.73%
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Alsumayt, A.; Nagy, N.; Alsharyofi, S.; Alahmadi, R.; Al-Rabie, R.; Alesse, R.; Alibrahim, N.; Alahmadi, A.; Alghamedy, F.H.; Alfawaer, Z. Cutting-Edge DoS Attack Detection in Drone Networks: Leveraging Machine Learning for Robust Security. Sci 2026, 8, 20. https://doi.org/10.3390/sci8010020

AMA Style

Alsumayt A, Nagy N, Alsharyofi S, Alahmadi R, Al-Rabie R, Alesse R, Alibrahim N, Alahmadi A, Alghamedy FH, Alfawaer Z. Cutting-Edge DoS Attack Detection in Drone Networks: Leveraging Machine Learning for Robust Security. Sci. 2026; 8(1):20. https://doi.org/10.3390/sci8010020

Chicago/Turabian Style

Alsumayt, Albandari, Naya Nagy, Shatha Alsharyofi, Resal Alahmadi, Renad Al-Rabie, Roaa Alesse, Noor Alibrahim, Amal Alahmadi, Fatemah H. Alghamedy, and Zeyad Alfawaer. 2026. "Cutting-Edge DoS Attack Detection in Drone Networks: Leveraging Machine Learning for Robust Security" Sci 8, no. 1: 20. https://doi.org/10.3390/sci8010020

APA Style

Alsumayt, A., Nagy, N., Alsharyofi, S., Alahmadi, R., Al-Rabie, R., Alesse, R., Alibrahim, N., Alahmadi, A., Alghamedy, F. H., & Alfawaer, Z. (2026). Cutting-Edge DoS Attack Detection in Drone Networks: Leveraging Machine Learning for Robust Security. Sci, 8(1), 20. https://doi.org/10.3390/sci8010020

Article Metrics

Article metric data becomes available approximately 24 hours after publication online.
Back to TopTop