A Study on Semi-Supervised Detection of DDoS Attacks under Class Imbalance

One of the most difficult challenges in cybersecurity is eliminating Distributed Denial of Service (DDoS) attacks. Automating this task using artificial intelligence is a complex process due to the inherent class imbalance and lack of sufficient labeled samples of real-world datasets. This research investigates the use of Semi-Supervised Learning (SSL) techniques to improve DDoS attack detection when data is imbalanced and partially labeled. In this process, 13 state-of-the-art SSL algorithms are evaluated for detecting DDoS attacks in several scenarios. We evaluate their practical efficacy and shortcomings, including the extent to which they work in extreme environments. The results will offer insight into designing intelligent Intrusion Detection Systems (IDSs) that are robust against class imbalance and handle partially labeled data.

💡 Research Summary

This paper tackles the dual challenges of class imbalance and label scarcity that plague the detection of Distributed Denial‑of‑Service (DDoS) attacks in real‑world network traffic. While machine‑learning‑based intrusion detection systems (IDS) can process massive volumes of data and adapt to evolving threats, they typically require a substantial amount of accurately labeled samples. In DDoS datasets, benign traffic overwhelmingly dominates, and obtaining expert‑labeled attack instances is both costly and time‑consuming. The authors therefore explore semi‑supervised learning (SSL) as a means to leverage abundant unlabeled data while only a tiny fraction of the samples are labeled. They also acknowledge that SSL alone may not fully mitigate the bias introduced by severe class imbalance, prompting an investigation of how SSL interacts with class‑imbalance‑learning (CIL) techniques.

To conduct a systematic evaluation, the authors use the publicly available CIC‑DDoS2019 dataset. They artificially create four imbalance ratios—1:10, 1:100, 1:500, and 1:1000—by varying the number of benign (majority) samples relative to a single malicious (minority) sample. For each imbalance setting, 90 % of the data is allocated for training and 10 % for testing. Within the training set, they randomly retain only 1 %, 5 %, 10 %, or 20 % of the labels, ensuring that the proportion of labeled instances is consistent across both classes. This yields 16 distinct experimental scenarios that span a wide spectrum of difficulty.

Thirteen state‑of‑the‑art SSL algorithms are benchmarked: AdaMatch, FixMatch, FlexMatch, Label Propagation (LP), Label Spreading (LS), Mean Teacher (MT), MixMatch, Π‑Model, Pseudo‑Labeling, Self‑Training (ST), Virtual Adversarial Training (VAT), SimCLR, and Suppressed Consistency Loss (SCL). All methods are evaluated using the F1‑score, averaged over 10‑fold cross‑validation, with standard deviations reported.

Key findings can be summarized as follows:

1. Overall best performer – SCL consistently outperforms all other methods across every imbalance ratio and labeling fraction, indicating strong robustness to both label scarcity and class skew.

2. Moderate imbalance (1:10) – FixMatch achieves a peak F1 of 0.9920 at 5 % labeling and shows stable performance across labeling levels. LP and ST also maintain very high scores (>0.996) regardless of label proportion, demonstrating that certain consistency‑based SSL approaches can thrive even with minimal supervision.

3. Increasing imbalance (1:100) – Most algorithms experience a sharp drop in effectiveness. FixMatch’s F1 falls to 0.6830 at 1 % labeling and continues to decline as more labels are added, suggesting over‑reliance on a tiny labeled subset. AdaMatch, LP, LS, and ST all plateau around 0.5, indicating an inability to exploit the sparse labeled data in this regime. UDA remains relatively better at very low labeling (0.7629 at 1 %) but also degrades with higher label fractions. VAT retains moderate performance (≈0.67 at 20 % labeling), showing better balance between labeled and unlabeled information.

4. Severe imbalance (1:500 and 1:1000) – The performance gap widens further. SCL still leads, while most other methods hover near random‑guess levels (F1 ≈ 0.5). VAT is the most resilient among the non‑SCL methods, maintaining F1 scores around 0.54–0.67 even when the minority class constitutes only 0.1 % of the data. FixMatch, AdaMatch, and UDA all collapse to near‑baseline values, underscoring their limited scalability under extreme skew.

5. Algorithmic sensitivities – Some methods (MixMatch, FlexMatch) display counter‑intuitive behavior, where increasing the proportion of labeled data actually harms performance, likely due to over‑fitting to noisy pseudo‑labels. Others (Mean Teacher, SimCLR) show modest adaptability but never reach the levels achieved by SCL or VAT.

The authors discuss that the observed variability stems from each algorithm’s reliance on different assumptions: pseudo‑label confidence, consistency regularization strength, or adversarial perturbation robustness. When the labeled set is extremely small, methods that heavily weight pseudo‑labels (e.g., FixMatch) can be misled, whereas approaches that enforce smoothness across the data manifold (e.g., VAT) or suppress noisy consistency (SCL) are more tolerant.

The paper concludes that semi‑supervised learning offers a promising avenue for DDoS detection under realistic constraints, but the choice of algorithm must be guided by the expected degree of class imbalance and labeling budget. SCL emerges as the most reliable across all tested conditions, while VAT provides a strong alternative when computational resources allow adversarial training. The authors recommend future work on hybrid strategies that combine sampling‑based CIL (e.g., informed undersampling or synthetic minority oversampling) with SSL, as well as meta‑learning frameworks that can adaptively select the best SSL paradigm based on dataset characteristics.

In summary, this comprehensive empirical study provides valuable guidance for practitioners seeking to deploy intelligent IDS solutions in environments where attack data are scarce, heavily outnumbered by benign traffic, and continuously evolving. It highlights both the potential and the limitations of current SSL techniques, paving the way for more robust, cost‑effective DDoS detection systems.