Real-time DDoS mitigation using a Q-Ensemble of three one-class anomaly detectors (Isolation Forest, VAE Autoencoder, One-Class SVM) trained on the CIC-DDoS2019 dataset, with a Rust-based real-time packet ingestion agent for live detection.
# 1. Install dependencies
uv sync
# 2. Train all models + evaluate
uv run python train.py
# 3. Export to ONNX (skip retraining)
uv run python train.py --export-onlyNote: The dataset must be placed in
Datasets/cicddos2019/as parquet files. Download from: https://www.kaggle.com/datasets/dhoogla/cicddos2019
# 1. Build the detection agent
cargo build --release
# 2. Run on a network interface (requires root/CAP_NET_RAW)
sudo ./target/release/ensemble-ddos-detection \
--interface eth0 \
--models-dir models/exported/onnx/ \
--timeout 120| Flag | Default | Description |
|---|---|---|
-i, --interface |
(required) | Network interface to capture on (e.g. eth0, wlan0) |
-m, --models-dir |
models/exported/onnx |
Path to ONNX models + JSON configs |
-t, --timeout |
120 |
Flow inactivity timeout in seconds |
-s, --sweep-interval |
10 |
How often to classify expired flows (seconds) |
The agent captures live traffic, groups packets into bidirectional flows, computes 54 CICFlowMeter-style features per flow, and runs the ensemble through ONNX Runtime. Detected attacks are logged with π¨ alerts showing source/destination IPs, protocol, and the combined detection probability.
| Metric | Score |
|---|---|
| F1 Score | 0.995 |
| Accuracy | 99.0% |
| Benign Recall | 92.3% |
| Attack Recall | 99.6% |
| ROC-AUC | 0.996 |
%%{init: {"theme": "dark", "themeVariables": { "primaryColor": "#1a1a2e", "edgeLabelBackground":"#16213e", "tertiaryColor": "#1a1a2e"}}}%%
flowchart TB
%% -------------------- 1. DATA --------------------
subgraph DATA["Data Loading"]
A1["CIC-DDoS2019<br/>Parquet files"]
A2["Concatenate & binarize labels"]
A3["Drop constant columns<br/>Keep numeric only"]
A1 --> A2 --> A3
end
%% -------------------- 2. PREPROCESS --------------------
subgraph PREPROCESS["Preprocessing"]
B1["Log transform<br/>sign(x) Β· log1p(|x|)"]
B2["Remove zero-variance columns"]
B3["Inf β NaN<br/>Median imputation"]
B4["Mutual information selection<br/>Drop bottom 10%"]
B5["One-class split<br/>Train: benign only"]
B6["StandardScaler<br/>Fit on benign train"]
B1 --> B2 --> B3 --> B4 --> B5 --> B6
end
%% -------------------- 3. DETECTORS --------------------
subgraph DETECTORS["Anomaly Detectors (Benign-Trained)"]
direction LR
C1["Isolation Forest<br/>300 estimators"]
C2["VAE Autoencoder<br/>Skip connections"]
C3["One-Class SVM<br/>RBF kernel"]
end
%% -------------------- 4. ENSEMBLE --------------------
subgraph ENSEMBLE["Q-Ensemble Stacking"]
D1["Normalized anomaly scores<br/>(IF, VAE, SVM)"]
D2["Logistic Regression<br/>Learned weights"]
D3["Threshold tuning<br/>Max macro F-Ξ²"]
D1 --> D2 --> D3
end
%% -------------------- 5. EVALUATION --------------------
subgraph EVAL["Evaluation"]
E1["Test metrics<br/>F1 Β· Accuracy Β· AUC"]
E2["Per-attack detection rates"]
E3["ROC curve & confusion matrix"]
E1 --> E2 --> E3
end
%% -------------------- 6. EXPORT --------------------
subgraph EXPORT["ONNX Export"]
F1["Isolation Forest β ONNX"]
F2["VAE β ONNX"]
F3["SVM β ONNX"]
F4["JSON configs<br/>Scaler + ensemble params"]
end
%% -------------------- FLOW --------------------
DATA --> PREPROCESS
PREPROCESS --> DETECTORS
DETECTORS --> ENSEMBLE
ENSEMBLE --> EVAL
EVAL --> EXPORT
%% -------------------- DARK THEME STYLING --------------------
classDef default fill:#1a1a2e,stroke:#000,stroke-width:2px,color:#eee;
classDef sub fill:#16213e,stroke:#000,stroke-width:2px,color:#fff;
class DATA,PREPROCESS,DETECTORS,ENSEMBLE,EVAL,EXPORT sub;
graph TB
%% -------------------- 1. PACKET ACQUISITION --------------------
subgraph L1["Packet Acquisition Layer"]
A["NIC capture<br/>(pnet β TCP/UDP)"]
end
%% -------------------- 2. FLOW PROCESSING --------------------
subgraph L2["Flow Processing Layer"]
B["Flow aggregation<br/>(Bidirectional table β DashMap)"]
C["Feature extraction<br/>(54 CICFlowMeter)"]
end
%% -------------------- 3. PREPROCESSING --------------------
subgraph L3["Preprocessing Layer"]
D["Log transform"]
E["Standard scaler"]
end
%% -------------------- 4. MODEL INFERENCE --------------------
subgraph L4["Model Inference Layer (ONNX Runtime)"]
direction LR
F["Isolation Forest"]
G["Variational Autoencoder"]
H["One-Class SVM"]
end
%% -------------------- 5. ENSEMBLE --------------------
subgraph L5["Ensemble & Decision Layer"]
I["Logistic Regression combiner"]
J["Thresholding"]
K{"Attack?"}
end
%% -------------------- 6. OUTPUT --------------------
subgraph L6["Output Layer"]
L["Alert<br/>(src/dst IPs, protocol, score)"]
M["Benign traffic"]
end
%% -------------------- FLOW --------------------
A --> B
B --> C
C --> D
D --> E
E --> F
E --> G
E --> H
F --> I
G --> I
H --> I
I --> J
J --> K
K -- "Yes" --> L
K -- "No" --> M
%% -------------------- STYLING (High Contrast / Professional) --------------------
style L1 stroke:#000,stroke-width:2px
style L2 stroke:#000,stroke-width:2px
style L3 stroke:#000,stroke-width:2px
style L4 stroke:#000,stroke-width:2px
style L5 stroke:#000,stroke-width:2px
style L6 stroke:#000,stroke-width:2px
style A stroke:#000,stroke-width:2px
style B stroke:#000,stroke-width:2px
style C stroke:#000,stroke-width:2px
style D stroke:#000,stroke-width:2px
style E stroke:#000,stroke-width:2px
style F stroke:#000,stroke-width:2px
style G stroke:#000,stroke-width:2px
style H stroke:#000,stroke-width:2px
style I stroke:#000,stroke-width:2px
style J stroke:#000,stroke-width:2px
style K stroke:#000,stroke-width:2px
style L stroke:#000,stroke-width:2px
style M stroke:#000,stroke-width:2px
ensemble_ddos_detection/ # Python training pipeline
βββ config.py # Hyperparams & paths
βββ data/
β βββ loader.py # Load parquets, preserve attack types
β βββ preprocessor.py # Log-transform, MI selection, scaling
βββ models/
β βββ isolation_forest.py # Isolation Forest wrapper
β βββ autoencoder.py # VAE with skip connections
β βββ one_class_svm.py # One-Class SVM wrapper
β βββ q_ensemble.py # Logistic Regression stacking combiner
βββ training/
β βββ trainer.py # Full pipeline orchestrator
βββ evaluation/
β βββ metrics.py # Metrics + per-attack-type evaluation
βββ export/
βββ exporter.py # Export all models to ONNX
src/ # Rust real-time agent
βββ main.rs # CLI, capture thread, sweep loop
βββ capture.rs # Packet capture via pnet (TCP/UDP)
βββ flow.rs # Concurrent flow table (DashMap)
βββ features.rs # 54-feature CICFlowMeter extraction
βββ preprocess.rs # Log-transform + StandardScaler
βββ inference.rs # ONNX inference + LR combiner
βββ config.rs # JSON config deserialization
βββ tui/ # Terminal UI (ratatui)
β βββ app.rs # App state, event handling, tab navigation
β βββ event.rs # Terminal event loop
β βββ collectors/ # Background data collectors
β β βββ config.rs # Config collector
β β βββ connections.rs # Active connections collector
β β βββ geo.rs # GeoIP lookups
β β βββ health.rs # System health metrics
β β βββ traffic.rs # Traffic statistics
β βββ platform/ # OS-specific network interface detection
β β βββ linux.rs
β β βββ macos.rs
β β βββ windows.rs
β βββ ui/ # Tab UI renderers
β βββ dashboard.rs # Overview dashboard
β βββ connections.rs # Active connections table
β βββ topology.rs # Network topology view
β βββ timeline.rs # Traffic timeline graphs
β βββ interfaces.rs # Network interfaces tab
β βββ ddos_logs.rs # DDoS detection log viewer
β βββ help.rs # Help / keybindings tab
β βββ widgets.rs # Shared widget helpers
βββ test/ # Unit tests
βββ test_config.rs
βββ test_features.rs
βββ test_flow.rs
βββ test_inference.rs
βββ test_preprocess.rs
models/exported/ # Trained model artifacts
βββ onnx/ # ONNX models for Rust inference
βββ *.pkl # Pickled sklearn models
βββ *.pt # PyTorch checkpoints
βββ *.json # Scaler, ensemble & normalization configs
train.py # Python CLI entry-point