Open Access

ARTICLE

Adapting Convolutional Autoencoder for DDoS Attack Detection via Joint Reconstruction Learning and Refined Anomaly Scoring

Seulki Han¹, Sangho Son², Won Sakong², Haemin Jung^3,*

1 Department of Digital Analytics, Yonsei University, Seoul, 03722, Republic of Korea
2 Department of Industrial Engineering, Yonsei University, Seoul, 03722, Republic of Korea
3 Department of Industrial & Management Engineering, Korea National University of Transportation, Chungju, 27469, Republic of Korea

* Corresponding Author: Haemin Jung. Email:

Computers, Materials & Continua 2025, 85(2), 2893-2912. https://doi.org/10.32604/cmc.2025.067211

Received 27 April 2025; Accepted 20 August 2025; Issue published 23 September 2025

Abstract

As cyber threats become increasingly sophisticated, Distributed Denial-of-Service (DDoS) attacks continue to pose a serious threat to network infrastructure, often disrupting critical services through overwhelming traffic. Although unsupervised anomaly detection using convolutional autoencoders (CAEs) has gained attention for its ability to model normal network behavior without requiring labeled data, conventional CAEs struggle to effectively distinguish between normal and attack traffic due to over-generalized reconstructions and naive anomaly scoring. To address these limitations, we propose CA-CAE, a novel anomaly detection framework designed to improve DDoS detection through asymmetric joint reconstruction learning and refined anomaly scoring. Our architecture connects two CAEs sequentially with asymmetric filter allocation, which amplifies reconstruction errors for anomalous data while preserving low errors for normal traffic. Additionally, we introduce a scoring mechanism that incorporates exponential decay weighting to emphasize recent anomalies and relative traffic volume adjustment to highlight high-risk instances, enabling more accurate and timely detection. We evaluate CA-CAE on a real-world network traffic dataset collected using Cisco NetFlow, containing over 190,000 normal instances and only 78 anomalous instances—an extremely imbalanced scenario (0.0004% anomalies). We validate the proposed framework through extensive experiments, including statistical tests and comparisons with baseline models. Despite this challenge, our method achieves significant improvement, increasing the F1-score from 0.515 obtained by the baseline CAE to 0.934, and outperforming other models. These results demonstrate the effectiveness, scalability, and practicality of CA-CAE for unsupervised DDoS detection in realistic network environments. By combining lightweight model architecture with a domain-aware scoring strategy, our framework provides a robust solution for early detection of DDoS attacks without relying on labeled attack data.

---

Keywords

---