Author
Listed:
- Serhii Vladov
(Department of Scientific Activity Organisation, Kharkiv National University of Internal Affairs, 27, L. Landau Avenue, 61080 Kharkiv, Ukraine
Department of Combating Cybercrime, Kharkiv National University of Internal Affairs, 27, L. Landau Avenue, 61080 Kharkiv, Ukraine)
- Oksana Mulesa
(Department of Physics, Mathematics and Technologies, University of Prešov, 3, Námestie Legionárov, 080 01 Prešov, Slovakia
Department of Software Systems, Uzhhorod National University, 3, Narodna Square, 88000 Uzhhorod, Ukraine)
- Victoria Vysotska
(Department of Combating Cybercrime, Kharkiv National University of Internal Affairs, 27, L. Landau Avenue, 61080 Kharkiv, Ukraine
Information Systems and Networks Department, Lviv Polytechnic National University, 12, Bandera Street, 79013 Lviv, Ukraine)
- Petro Horvat
(Department of Computer Systems and Networks, Uzhhorod National University, 3, Narodna Square, 88000 Uzhhorod, Ukraine)
- Nataliia Paziura
(Aviation English Department, State University “Kyiv Aviation Institute”, 1, Liubomyra Huzara Avenue, 03680 Kyiv, Ukraine)
- Oleksandra Kolobylina
(Department of Legal Disciplines, Sumy Branch of Kharkiv National University of Internal Affairs, 24 Miru Street, 40007 Sumy, Ukraine)
- Oleh Mieshkov
(Fire and Electrical Research Sector of the Engineering and Technical Research Laboratory, National Scientific Centre “Hon. Prof. M. S. Bokarius Forensic Science Institute”, 8-A, Zolochivska Street, 61177 Kharkiv, Ukraine)
- Oleksandr Ilnytskyi
(Department of Scientific and Organisational Support for Interaction with State Authorities and the Public, National Academy of Legal Sciences of Ukraine, 70, Hryhorii Skovoroda Street, 61024 Kharkiv, Ukraine)
- Oleh Koropatov
(Department of Administrative and Legal Disciplines, Odesa State University of Internal Affairs, 1 Uspenska Street, 65014 Odesa, Ukraine)
Abstract
The article presents a method for detecting low-intensity DDoS attacks, focused on identifying difficult-to-detect “low-and-slow” scenarios that remain undetectable by traditional defence systems. The key feature of the developed method is the statistical criteria’s ( χ 2 and T statistics, energy ratio, reconstruction errors) integration with a combined neural network architecture, including convolutional and transformer blocks coupled with an autoencoder and a calibrated regressor. The developed neural network architecture combines mathematical validity and high sensitivity to weak anomalies with the ability to generate interpretable artefacts that are suitable for subsequent forensic analysis. The developed method implements a multi-layered process, according to which the first level statistically evaluates the flow intensity and interpacket intervals, and the second level processes features using a neural network module, generating an integral blend-score S metric. ROC-AUC and PR-AUC metrics, learning curve analysis, and the estimate of the calibration error (ECE) were used for validation. Experimental results demonstrated the superiority of the proposed method over existing approaches, as the achieved values of ROC-AUC and PR-AUC were 0.80 and 0.866, respectively, with an ECE level of 0.04, indicating a high accuracy of attack detection. The study’s contribution lies in a method combining statistical and neural network analysis development, as well as in ensuring the evidentiary value of the results through the generation of structured incident reports (PCAP slices, time windows, cryptographic hashes). The obtained results expand the toolkit for cyber-attack analysis and open up prospects for the methods’ practical application in monitoring systems and law enforcement agencies.
Suggested Citation
Serhii Vladov & Oksana Mulesa & Victoria Vysotska & Petro Horvat & Nataliia Paziura & Oleksandra Kolobylina & Oleh Mieshkov & Oleksandr Ilnytskyi & Oleh Koropatov, 2025.
"Method for Detecting Low-Intensity DDoS Attacks Based on a Combined Neural Network and Its Application in Law Enforcement Activities,"
Data, MDPI, vol. 10(11), pages 1-55, October.
Handle:
RePEc:gam:jdataj:v:10:y:2025:i:11:p:173-:d:1783789
Download full text from publisher
Corrections
All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jdataj:v:10:y:2025:i:11:p:173-:d:1783789. See general information about how to correct material in RePEc.
If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.
We have no bibliographic references for this item. You can help adding them by using this form .
If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.
For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .
Please note that corrections may take a couple of weeks to filter through
the various RePEc services.
Printed from https://ideas.repec.org/a/gam/jdataj/v10y2025i11p173-d1783789.html
My bibliography
Save this article