Skip to main page content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Access keys NCBI Homepage MyNCBI Homepage Main Content Main Navigation
. 2025 Aug 6;25(15):4845.
doi: 10.3390/s25154845.

A Multi-Class Intrusion Detection System for DDoS Attacks in IoT Networks Using Deep Learning and Transformers

Sheikh Abdul Wahab  1   2 Saira Sultana  1 Noshina Tariq  3 Maleeha Mujahid  1 Javed Ali Khan  4 Alexios Mylonas  4
Affiliations

A Multi-Class Intrusion Detection System for DDoS Attacks in IoT Networks Using Deep Learning and Transformers

Sheikh Abdul Wahab et al. Sensors (Basel). .

Abstract

The rapid proliferation of Internet of Things (IoT) devices has significantly increased vulnerability to Distributed Denial of Service (DDoS) attacks, which can severely disrupt network operations. DDoS attacks in IoT networks disrupt communication and compromise service availability, causing severe operational and economic losses. In this paper, we present a Deep Learning (DL)-based Intrusion Detection System (IDS) tailored for IoT environments. Our system employs three architectures-Convolutional Neural Networks (CNNs), Deep Neural Networks (DNNs), and Transformer-based models-to perform binary, three-class, and 12-class classification tasks on the CiC IoT 2023 dataset. Data preprocessing includes log normalization to stabilize feature distributions and SMOTE-based oversampling to mitigate class imbalance. Experiments on the CIC-IoT 2023 dataset show that, in the binary classification task, the DNN achieved 99.2% accuracy, the CNN 99.0%, and the Transformer 98.8%. In three-class classification (benign, DDoS, and non-DDoS), all models attained near-perfect performance (approximately 99.9-100%). In the 12-class scenario (benign plus 12 attack types), the DNN, CNN, and Transformer reached 93.0%, 92.7%, and 92.5% accuracy, respectively. The high precision, recall, and ROC-AUC values corroborate the efficacy and generalizability of our approach for IoT DDoS detection. Comparative analysis indicates that our proposed IDS outperforms state-of-the-art methods in terms of detection accuracy and efficiency. These results underscore the potential of integrating advanced DL models into IDS frameworks, thereby providing a scalable and effective solution to secure IoT networks against evolving DDoS threats. Future work will explore further enhancements, including the use of deeper Transformer architectures and cross-dataset validation, to ensure robustness in real-world deployments.

Keywords: Convolutional Neural Network; Deep Learning; Distributed Denial of Service; Internet of Things security; Intrusion Detection System; Synthetic Minority Over-sampling Technique; Transformer; anomaly detection.

PubMed Disclaimer

Conflict of interest statement

The authors declare no conflicts of interest.

Figures

Figure 1
Figure 1
Proposed methodology.
Figure 2
Figure 2
Training pipeline.
Figure 3
Figure 3
Binary classification accuracy.
Figure 4
Figure 4
Three-class classification accuracy.
Figure 5
Figure 5
Twelve-class classification accuracy.
Figure 6
Figure 6
FPR comparison across CNN, DNN, and Transformer models on 2-class, 3-class, and 12-class classification tasks. All models maintain low FPRs (<0.01), validating the reliability of their predictions beyond accuracy alone.
Figure 7
Figure 7
Binary classification loss.
Figure 8
Figure 8
Three-class classification loss.
Figure 9
Figure 9
Twelve-class classification loss.
Figure 10
Figure 10
Binary classification performance metrics.
Figure 11
Figure 11
Three-class classification performance metrics.
Figure 12
Figure 12
Twelve-class classification performance metrics.
Figure 13
Figure 13
ROC curves for binary classification.
Figure 14
Figure 14
ROC curves for 3-class classification.
Figure 15
Figure 15
ROC curves for 12-class multiclass classification.
Figure 16
Figure 16
Binary classification confusion matrices across three folds (CNN, DNN, and Transformer).
Figure 17
Figure 17
Three-class (benign, DDoS, and non-DDoS) confusion matrices across three folds (CNN, DNN, and Transformer).
Figure 18
Figure 18
Twelve-class confusion matrices across three folds (CNN, DNN, and Transformer).
See this image and copyright information in PMC

Similar articles

See all similar articles

References

    1. Choudhary V., Guha P., Pau G., Mishra S. An overview of smart agriculture using internet of things (IoT) and web services. Environ. Sustain. Indic. 2025;26:100607. doi: 10.1016/j.indic.2025.100607. - DOI
    1. Farooq U., Asim M., Tariq N., Baker T., Awad A.I. Multi-mobile agent trust framework for mitigating internal attacks and augmenting RPL security. Sensors. 2022;22:4539. doi: 10.3390/s22124539. - DOI - PMC - PubMed
    1. Alfatemi A., Rahouti M., Hsu D.F., Schweikert C., Ghani N., Solyman A., Assaqty M.I.S. Identifying Distributed Denial of Service Attacks through Multi-Model Deep Learning Fusion and Combinatorial Analysis. J. Netw. Syst. Manag. 2025;33:8. doi: 10.1007/s10922-024-09882-0. - DOI
    1. Xiao J., Sun R., Liu J. MLDDoS: A distributed denial of service attack detection method using multi-level sketch. J. Supercomput. 2025;81:1–36. doi: 10.1007/s11227-025-06942-3. - DOI
    1. Maiwada U.D., Danyaro K.U., Liew M., Alashhab A.A., Sarlan A.B. Convergence of Artificial Intelligence and Internet of Things for Industrial Automation. CRC Press; Boca Raton, FL, USA: 2025. Security concerns with IoT: Detecting DDoS attacks in IoT environments; pp. 152–162.

LinkOut - more resources