Detecting and Mitigating DDoS Attacks with AI: A Survey

Distributed Denial of Service attacks represent an active cybersecurity research problem. Recent research shifted from static rule-based defenses towards AI-based detection and mitigation. This comprehensive survey covers several key topics. Preeminently, state-of-the-art AI detection methods are discussed. An in-depth taxonomy based on manual expert hierarchies and an AI-generated dendrogram are provided, thus settling DDoS categorization ambiguities. An important discussion on available datasets follows, covering data format options and their role in training AI detection methods together with adversarial training and examples augmentation. Beyond detection, AI based mitigation techniques are surveyed as well. Finally, multiple open research directions are proposed.

💡 Research Summary

The paper presents a comprehensive survey of artificial‑intelligence techniques for detecting and mitigating Distributed Denial‑of‑Service (DDoS) attacks. Beginning with a market overview, the authors note a sharp rise in DDoS incidents between 2020 and 2022 and project the global DDoS‑protection market to exceed ten billion dollars by 2030, driven by 5G adoption, IoT proliferation, and cloud‑based services. The survey adopts the CISA/FBI taxonomy, dividing attacks into volumetric, protocol, and application categories, and resolves existing classification ambiguities by providing both a manual hierarchical taxonomy and an automatically generated dendrogram using agglomerative clustering.

A major contribution is the detailed discussion of data formats. The authors compare raw packet captures, flow‑graph representations, time‑series aggregates, and tabular flow records, explaining how each influences the choice of machine‑learning (k‑NN, SVM, Random Forest) and deep‑learning (CNN, LSTM, Graph Neural Networks, Transformers) models. They highlight the over‑fitting problem of widely used public datasets (CIC‑IDS‑2017, UNSW‑NB15, MAWI, IoT‑23) and advocate for cross‑dataset generalization, synthetic data generation (SMOTE, ADASYN, CTGAN), and adversarial training (FGSM, JSMA) to improve robustness.

In the detection section, the survey catalogs more than thirty approaches, ranging from classical statistical methods to state‑of‑the‑art large language models (LLMs). Performance is evaluated on accuracy, detection latency, false‑positive rate, and computational cost, with particular attention to the trade‑off between lightweight models (LightGBM, XGBoost) for real‑time deployment and heavyweight deep networks for maximum detection power. Explainable AI techniques such as SHAP, LIME, and attention visualizations are discussed as essential for auditing and regulatory compliance.

The mitigation part reveals that most existing work still relies on manually crafted firewall rules. Recent studies employing decision‑tree policy generation, GAN‑based attack simulation, and LLM‑driven rule synthesis are summarized, but the authors note that fully automated mitigation pipelines remain nascent.

Finally, the paper outlines six research directions: (1) creation of cross‑domain, multi‑cloud datasets; (2) hybrid static‑dynamic defense architectures; (3) energy‑efficient real‑time processing; (4) integration of explainable and ethical AI; (5) robust defenses against adversarial attacks; and (6) leveraging LLMs for automated policy generation. By systematically reviewing detection and mitigation methods, data considerations, and open challenges, the survey provides a clear roadmap for future AI‑driven DDoS defense research.