An AI + Deep Learning project that detects DDoS attacks at early stages by analyzing temporal network traffic behavior using a Hybrid Hierarchical BiGRU model and a real-time Streamlit monitoring dashboard.
Traditional DDoS detection systems classify traffic as simply normal or attack β often too late to prevent damage. This project introduces a three-stage detection approach:
| Stage | Label | Meaning |
|---|---|---|
| 0 | π’ Normal | Regular network traffic |
| 1 | π‘ Early DDoS Warning | Suspicious patterns detected early |
| 2 | π΄ Active Attack | Full DDoS attack in progress |
By detecting attacks before they fully develop, the system enables proactive defense rather than reactive response.
- Loaded 4 training + 4 testing parquet files from the CICDDoS2019 dataset
- Removed duplicates, missing values, and infinite values
- Selected 41 important network traffic features (packet rates, flow duration, TCP flags)
- Created custom Early Stage labels from the first portion of each attack sequence
- Attack type distribution analysis
- Normal vs attack traffic comparison
- Feature correlation heatmaps and pairplots
- Confirmed clear behavioral differences between normal and attack traffic
| Model | Approach | Accuracy |
|---|---|---|
| Gradient Boosting | Baseline ML classifier | 68% |
| GRU | Temporal deep learning (40-packet sequences) | 75% |
| Hybrid Hierarchical BiGRU | Autoencoder + two-stage BiGRU | 75% |
The best-performing model works in two stages:
- Stage 1 Model β Binary classifier: Normal vs DDoS
- Stage 2 Model β Multiclass: Early DDoS vs Full Attack
An Autoencoder trained on normal traffic extracts anomaly features, which are combined with original features for richer input representation.
A real-time Security Operations Center (SOC) interface providing:
- Dataset Analysis Mode β Upload and analyze complete traffic logs
- Live Traffic Simulation Mode β Stream traffic window by window
- Automated mitigation: allow / rate-limit / block IP
- Live SOC metrics: blocked IPs, rate-limited IPs, total attacks
- Real-time detection trend graph
Upload network traffic data and choose detection mode (Dataset / Live Simulation).

Displays real-time classification: Normal / Early Warning / Attack along with source IP and mitigation trigger.

Security Operations Center (SOC) dashboard showing attack trends, blocked IPs, and mitigation actions.

- Language: Python
- Environment: Jupyter Notebook, Streamlit
- Libraries: pandas, numpy, matplotlib, seaborn, scikit-learn, tensorflow, keras, streamlit, pyarrow
- Models: Gradient Boosting, GRU, Autoencoder, Hierarchical BiGRU
- Dataset: CICDDoS2019 (Kaggle)
This project uses the CICDDoS2019 dataset available on Kaggle:
Only the following 8 files were used:
Training files:
Syn-training.parquetUDP-training.parquetLDAP-training.parquetMSSQL-training.parquet
Testing files:
Syn-testing.parquetUDP-testing.parquetLDAP-testing.parquetMSSQL-testing.parquet
β οΈ The raw parquet files are not included in this repository due to their large size. Download them from the Kaggle link above and place them in araw_data/folder before running the notebook.
-
Clone the repository: git clone https://github.com/SubhasriiT/DDoS_Attack_Prediction.git
-
Navigate to the project folder: cd ddos-attack-prediction
-
Install required libraries: pip install -r requirements.txt
Open the notebook to explore the full ML pipeline: jupyter notebook DDoS_Analysis.ipynb
Run all cells in order to perform data preprocessing, EDA, model training, and evaluation.
streamlit run app.py
Once launched:
- Choose Dataset Analysis or Live Traffic Simulation from the sidebar
- Upload
DDoS_Processed_Data.csvfrom theData/folder - Click Start Monitoring to begin live simulation
- Observe real-time classifications, SOC metrics, and automated mitigation actions
| Metric | Value |
|---|---|
| Best Model | Hybrid Hierarchical BiGRU |
| Best Accuracy | 75% |
| Detection Stages | Normal / Early DDoS / Full Attack |
| Mitigation Actions | Allow / Rate-Limit / Block IP |
| Dashboard | Real-time Streamlit SOC Interface |
- Three-stage detection: Normal β Early Warning β Full Attack
- Temporal behavior modeling using GRU and BiGRU
- Anomaly detection using Autoencoder on normal traffic
- Hierarchical classification for precise attack staging
- Real-time Streamlit SOC dashboard with live metrics
- Automated IP mitigation (rate-limit and block)
- Works on standard network traffic CSV data
- Detects DDoS attacks before they fully occur
- Uses temporal deep learning (BiGRU) for sequence modeling
- Implements hierarchical classification for better accuracy
- Combines autoencoder + supervised learning
- Provides a real-time SOC dashboard
- Model loading may fail if TensorFlow/Keras versions mismatch
- Ensure correct versions are installed using
requirements.txt - Large datasets may slow down live simulation mode
Contributions are welcome. If you would like to improve this project:
- Fork the repository
- Create a new branch
- Make your changes
- Submit a pull request
This project is licensed under the MIT License and is intended for educational purposes.
For any queries or suggestions, feel free to reach out:
Name: Subhasri
Email: [email protected]
GitHub: SubhasriiT