Online machine learning for proactive threat intelligence and timely DDoS attack prediction
摘要
Distributed Denial of Service (DDoS) attacks are rapidly escalating in scale and sophistication, posing critical threats to modern cloud infrastructures. Recent reports from Cloudflare show unprecedented attack volumes, 20·5 M attacks in Q1 2025, and sophisticated patterns such as low-rate stealth or bursty bots, underscoring the need for timely, automated threat intelligence. Traditional defenses – static IDS signatures or threshold rules – remain reactive and incur high false-alarm rates. To address these gaps, we propose a real-time ML framework for proactive DDoS defense. We built a unified labeled dataset from public (CIC-IDS2017 DDoS and CIC-DDoS2019) and proprietary, pfSense traffic captures, enriched with MISP threat indicators. In a comparative supervised evaluation, we trained multiple classifiers (SVM, Random Forest, XGBoost) via cross-validated grid search, using accuracy, precision, and recall as key metrics. The architecture routes all traffic through a pfSense gateway into a Wazuh analytics node, with OpenSearch and Grafana, for streaming feature extraction and prediction. Results show all models achieved near-perfect detection (≈99.99% accuracy, 100% precision/recall) on test data. XGBoost slightly outperformed the others and maintained