Open Access

REVIEW

Graph and Transformer-Based Deep Learning Paradigms for DDoS Detection: A Systematic and Critical Survey

Noor Mueen Mohammed Ali Hayder^1,2, Seyed Amin Hosseini Seno^2,*, Mehdi Ebady Manaa^3,4, Hamid Noori², Davood Zabihzadeh⁵

1 Faculty of Nursing, Babylon University, Hilla, Iraq
2 Department of Computer Engineering, Ferdowsi University of Mashhad, Mashhad, Iran
3 Intelligent Medical Systems Department, College of Sciences, Al-Mustaqbal University, Babylon, Iraq
4 College of Information Technology, University of Babylon, Babylon, Iraq
5 Computer Engineering Department, Hakim Sabzevari University (HSU), Sabzevar, Iran

* Corresponding Author: Seyed Amin Hosseini Seno. Email:

(This article belongs to the Special Issue: Advances in Machine Learning and Artificial Intelligence for Intrusion Detection Systems)

Computers, Materials & Continua 2026, 88(1), 1 https://doi.org/10.32604/cmc.2026.078546

Received 03 January 2026; Accepted 04 March 2026; Issue published 08 May 2026

Abstract

With the rapid expansion of networked systems, Distributed Denial-of-Service (DDoS) attacks have become a major threat to Internet security and service availability. Due to their limited scalability, incapacity to capture temporal and relational relationships, and decreased detection accuracy under dynamic and high-volume network traffic, traditional machine learning algorithms frequently fail in large-scale DDoS scenarios. This encourages the application of deep learning techniques that can simulate intricate relationships. This survey systematically reviews graph-based deep learning and Transformer models for DDoS detection. We categorize methods for transforming network traffic into graph representations and analyze key architectures, including GraphSAGE, GCN, GAT, spatio-temporal Transformers, and hybrid GNN–Transformer models. We summarize the evaluation metrics, datasets, feature extraction strategies, and performance trends reported across existing studies. Results indicate that these approaches effectively capture topological and temporal patterns to detect coordinated attacks. Our comparative review shows that these approaches are capable of capturing both topological and temporal patterns in network traffic, enabling more accurate identification of coordinated DDoS attacks reported in the literature. Remaining challenges include explainability, scalability, data imbalance, and limited generalization. The survey’s contributions are a unified taxonomy, comparative analysis, identification of open challenges, and future research directions toward explainable, lightweight, and federated frameworks.

---

Keywords

---