Constructing an Ensemble Stacking Model for Detecting DDoS Attacks

Distributed Denial-of-Service (DDoS) attacks continue to escalate in scale and complexity, posing significant threats to modern network infrastructures and cloud services. Although many machine learning and deep learning approaches have been proposed for intrusion detection, most existing studies rely on raw traffic features and binary classification, which limits their ability to capture complex temporal characteristics of multi-class DDoS attacks. To address these challenges, this study proposes an ensemble stacking framework combined with a frequency-domain feature representation for DDoS detection using the CIC-DDoS2019 dataset. Random Forest (RF), AdaBoost, and XGBoost are employed as base learners, while Logistic Regression is adopted as the meta-learner, and grid search cross-validation is used to determine the optimal hyperparameters. The main contributions of this study are threefold. First, a feature extraction pipeline integrating Fast Fourier Transform (FFT), sliding-window segmentation, and SHA256-based deduplication is proposed to capture temporal–frequency characteristics of network traffic while reducing redundant feature segments. Second, a stacking ensemble model is constructed to integrate heterogeneous classifiers and improve classification robustness across multiple attack types. Third, the proposed framework significantly improves computational efficiency by reducing feature redundancy, leading to substantial reductions in model training time. Experimental results demonstrate that the proposed FFT + SHA256 + SW stacking model achieves near-perfect detection performance, with an accuracy of 0.9997 and an F1-score of 0.9998 on the original dataset, which further improves to an accuracy of 0.9998 and an F1-score of 0.9999 when combined with SMOTE. Statistical evaluation using the Friedman test confirms that the stacking model consistently achieves the best ranking among the evaluated classifiers. The results indicate that the proposed approach provides an accurate, efficient, and scalable solution for large-scale DDoS attack detection.