{"id":"https://openalex.org/W7123359287","doi":"https://doi.org/10.1109/access.2026.3653648","title":"On the Limited Generalizability of a Universal Features Set for DDoS Detection Across Network Environments","display_name":"On the Limited Generalizability of a Universal Features Set for DDoS Detection Across Network Environments","publication_year":2026,"publication_date":"2026-01-01","ids":{"openalex":"https://openalex.org/W7123359287","doi":"https://doi.org/10.1109/access.2026.3653648"},"language":null,"primary_location":{"id":"doi:10.1109/access.2026.3653648","is_oa":true,"landing_page_url":"https://doi.org/10.1109/access.2026.3653648","pdf_url":null,"source":{"id":"https://openalex.org/S2485537415","display_name":"IEEE Access","issn_l":"2169-3536","issn":["2169-3536"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Access","raw_type":"journal-article"},"type":"article","indexed_in":["crossref","doaj"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1109/access.2026.3653648","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5107186714","display_name":"Osama Ebrahem","orcid":null},"institutions":[{"id":"https://openalex.org/I875646752","display_name":"Damascus University","ror":"https://ror.org/03m098d13","country_code":"SY","type":"education","lineage":["https://openalex.org/I875646752"]}],"countries":["SY"],"is_corresponding":true,"raw_author_name":"Osama Ebrahem","raw_affiliation_strings":["Department of Computer Systems and Networking Engineering, Faculty of Information Engineering, Damascus University, Damascus, Syria"],"raw_orcid":"https://orcid.org/0009-0003-4321-9854","affiliations":[{"raw_affiliation_string":"Department of Computer Systems and Networking Engineering, Faculty of Information Engineering, Damascus University, Damascus, Syria","institution_ids":["https://openalex.org/I875646752"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5087214645","display_name":"Salah Dowaji","orcid":null},"institutions":[{"id":"https://openalex.org/I875646752","display_name":"Damascus University","ror":"https://ror.org/03m098d13","country_code":"SY","type":"education","lineage":["https://openalex.org/I875646752"]}],"countries":["SY"],"is_corresponding":false,"raw_author_name":"Salah Dowaji","raw_affiliation_strings":["Department of Computer Systems and Networking Engineering, Faculty of Information Engineering, Damascus University, Damascus, Syria"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Computer Systems and Networking Engineering, Faculty of Information Engineering, Damascus University, Damascus, Syria","institution_ids":["https://openalex.org/I875646752"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5107186715","display_name":"Suhel Alhammoud","orcid":null},"institutions":[{"id":"https://openalex.org/I137613304","display_name":"Homs University","ror":"https://ror.org/01pwpsf61","country_code":"SY","type":"education","lineage":["https://openalex.org/I137613304"]}],"countries":["SY"],"is_corresponding":false,"raw_author_name":"Suhel Alhammoud","raw_affiliation_strings":["Department of Software Engineering, Faculty of Information Engineering, Homs University, Homs, Syria"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Software Engineering, Faculty of Information Engineering, Homs University, Homs, Syria","institution_ids":["https://openalex.org/I137613304"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5107186714"],"corresponding_institution_ids":["https://openalex.org/I875646752"],"apc_list":{"value":1850,"currency":"USD","value_usd":1850},"apc_paid":{"value":1850,"currency":"USD","value_usd":1850},"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.06441732,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"14","issue":null,"first_page":"7932","last_page":"7974"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.8913000226020813,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.8913000226020813,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10714","display_name":"Software-Defined Networks and 5G","score":0.029400000348687172,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":0.014100000262260437,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/denial-of-service-attack","display_name":"Denial-of-service attack","score":0.8579000234603882},{"id":"https://openalex.org/keywords/feature","display_name":"Feature (linguistics)","score":0.5943999886512756},{"id":"https://openalex.org/keywords/generalizability-theory","display_name":"Generalizability theory","score":0.5493999719619751},{"id":"https://openalex.org/keywords/random-forest","display_name":"Random forest","score":0.5030999779701233},{"id":"https://openalex.org/keywords/application-layer-ddos-attack","display_name":"Application layer DDoS attack","score":0.4853000044822693},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.4449000060558319},{"id":"https://openalex.org/keywords/bayesian-network","display_name":"Bayesian network","score":0.3961000144481659},{"id":"https://openalex.org/keywords/network-security","display_name":"Network security","score":0.39100000262260437},{"id":"https://openalex.org/keywords/naive-bayes-classifier","display_name":"Naive Bayes classifier","score":0.38580000400543213}],"concepts":[{"id":"https://openalex.org/C38822068","wikidata":"https://www.wikidata.org/wiki/Q131406","display_name":"Denial-of-service attack","level":3,"score":0.8579000234603882},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8529999852180481},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.6087999939918518},{"id":"https://openalex.org/C2776401178","wikidata":"https://www.wikidata.org/wiki/Q12050496","display_name":"Feature (linguistics)","level":2,"score":0.5943999886512756},{"id":"https://openalex.org/C27158222","wikidata":"https://www.wikidata.org/wiki/Q5532422","display_name":"Generalizability theory","level":2,"score":0.5493999719619751},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5467000007629395},{"id":"https://openalex.org/C169258074","wikidata":"https://www.wikidata.org/wiki/Q245748","display_name":"Random forest","level":2,"score":0.5030999779701233},{"id":"https://openalex.org/C120865594","wikidata":"https://www.wikidata.org/wiki/Q131406","display_name":"Application layer DDoS attack","level":4,"score":0.4853000044822693},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.4449000060558319},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3993000090122223},{"id":"https://openalex.org/C33724603","wikidata":"https://www.wikidata.org/wiki/Q812540","display_name":"Bayesian network","level":2,"score":0.3961000144481659},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.39100000262260437},{"id":"https://openalex.org/C52001869","wikidata":"https://www.wikidata.org/wiki/Q812530","display_name":"Naive Bayes classifier","level":3,"score":0.38580000400543213},{"id":"https://openalex.org/C148483581","wikidata":"https://www.wikidata.org/wiki/Q446488","display_name":"Feature selection","level":2,"score":0.35839998722076416},{"id":"https://openalex.org/C169988225","wikidata":"https://www.wikidata.org/wiki/Q7832484","display_name":"Traffic classification","level":3,"score":0.3400000035762787},{"id":"https://openalex.org/C43214815","wikidata":"https://www.wikidata.org/wiki/Q7310987","display_name":"Reliability (semiconductor)","level":3,"score":0.33550000190734863},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.33000001311302185},{"id":"https://openalex.org/C52622490","wikidata":"https://www.wikidata.org/wiki/Q1026626","display_name":"Feature extraction","level":2,"score":0.3156999945640564},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.2969000041484833},{"id":"https://openalex.org/C22019652","wikidata":"https://www.wikidata.org/wiki/Q331309","display_name":"Overfitting","level":3,"score":0.2939000129699707},{"id":"https://openalex.org/C65856478","wikidata":"https://www.wikidata.org/wiki/Q3991682","display_name":"Attack model","level":2,"score":0.2874000072479248},{"id":"https://openalex.org/C59404180","wikidata":"https://www.wikidata.org/wiki/Q17013334","display_name":"Feature learning","level":2,"score":0.2793000042438507},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.274399995803833},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.27399998903274536},{"id":"https://openalex.org/C2780428219","wikidata":"https://www.wikidata.org/wiki/Q16952335","display_name":"Cover (algebra)","level":2,"score":0.2689000070095062},{"id":"https://openalex.org/C100808899","wikidata":"https://www.wikidata.org/wiki/Q1192100","display_name":"Set cover problem","level":3,"score":0.2624000012874603},{"id":"https://openalex.org/C22735295","wikidata":"https://www.wikidata.org/wiki/Q317671","display_name":"Botnet","level":3,"score":0.2535000145435333},{"id":"https://openalex.org/C116537","wikidata":"https://www.wikidata.org/wiki/Q2169973","display_name":"Service provider","level":3,"score":0.2529999911785126},{"id":"https://openalex.org/C2780378061","wikidata":"https://www.wikidata.org/wiki/Q25351891","display_name":"Service (business)","level":2,"score":0.25290000438690186},{"id":"https://openalex.org/C136389625","wikidata":"https://www.wikidata.org/wiki/Q334384","display_name":"Supervised learning","level":3,"score":0.25119999051094055}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/access.2026.3653648","is_oa":true,"landing_page_url":"https://doi.org/10.1109/access.2026.3653648","pdf_url":null,"source":{"id":"https://openalex.org/S2485537415","display_name":"IEEE Access","issn_l":"2169-3536","issn":["2169-3536"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Access","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1109/access.2026.3653648","is_oa":true,"landing_page_url":"https://doi.org/10.1109/access.2026.3653648","pdf_url":null,"source":{"id":"https://openalex.org/S2485537415","display_name":"IEEE Access","issn_l":"2169-3536","issn":["2169-3536"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Access","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":40,"referenced_works":["https://openalex.org/W1981976602","https://openalex.org/W2060495548","https://openalex.org/W2148143831","https://openalex.org/W2342408547","https://openalex.org/W2516066574","https://openalex.org/W2848880782","https://openalex.org/W2982682021","https://openalex.org/W3011776577","https://openalex.org/W3013306169","https://openalex.org/W3021973688","https://openalex.org/W3087306757","https://openalex.org/W3118220620","https://openalex.org/W3121493031","https://openalex.org/W3124441917","https://openalex.org/W3138963730","https://openalex.org/W3152794541","https://openalex.org/W3185052486","https://openalex.org/W3185324814","https://openalex.org/W3185359994","https://openalex.org/W3200626950","https://openalex.org/W3209469313","https://openalex.org/W3216341310","https://openalex.org/W4206509010","https://openalex.org/W4206558373","https://openalex.org/W4229003780","https://openalex.org/W4285145603","https://openalex.org/W4309635201","https://openalex.org/W4362639200","https://openalex.org/W4366748065","https://openalex.org/W4386267888","https://openalex.org/W4388274259","https://openalex.org/W4388819979","https://openalex.org/W4393028950","https://openalex.org/W4396220530","https://openalex.org/W4399915793","https://openalex.org/W4400877832","https://openalex.org/W4402568216","https://openalex.org/W4404739890","https://openalex.org/W4406305643","https://openalex.org/W4409360552"],"related_works":[],"abstract_inverted_index":{"DDoS":[0,21,44,83,97],"is":[1,12,24,66],"a":[2,91,102,160,204,212,252,259,266],"predominant":[3],"threat":[4],"to":[5,26,67,81,121,229],"the":[6,69,131,181,194,230,237,274],"reliability":[7],"of":[8,63,71,232],"online":[9],"services":[10],"and":[11,58,73,116,124,151,158,164,174,187],"frequently":[13],"experienced":[14],"by":[15,31],"service":[16],"providers":[17],"worldwide.":[18],"An":[19],"effective":[20],"classification":[22],"mechanism":[23],"essential":[25],"prevent":[27],"resource":[28],"outages":[29],"caused":[30],"such":[32],"attacks.":[33],"However,":[34],"relatively":[35],"few":[36],"studies":[37],"utilize":[38],"up-to-date":[39],"datasets":[40],"that":[41,193],"reflect":[42],"recent":[43],"attack":[45,84,98],"patterns.":[46],"Furthermore,":[47],"existing":[48],"solutions":[49],"often":[50],"require":[51],"high":[52],"processing":[53],"capacity":[54],"for":[55,96],"model":[56,263],"training":[57],"prediction.":[59],"The":[60,170,190],"main":[61],"objective":[62],"this":[64,87,107,249],"study":[65,250],"verify":[68],"generalizability":[70],"relevant":[72],"significant":[74],"features":[75,196,272,276],"extracted":[76],"from":[77],"large-scale":[78],"network":[79],"traffic":[80],"enhance":[82],"detection.":[85],"In":[86,106],"paper,":[88],"we":[89,109,156],"present":[90],"universal":[92,103,138,161,167,195,275],"machine":[93,133],"learning":[94,134],"approach":[95],"detection":[99],"based":[100],"on":[101],"feature":[104,139,162,168],"set.":[105,277],"approach,":[108],"apply":[110],"both":[111],"an":[112,117],"over-sampling":[113],"method":[114,119],"(SMOTE)":[115],"under-sampling":[118],"(NearMiss)":[120],"produce":[122],"balanced":[123],"variably":[125],"sized":[126],"samples.":[127],"We":[128],"then":[129],"implement":[130],"following":[132],"algorithms":[135],"using":[136,176],"minimal":[137,166],"subsets:":[140],"Complement":[141],"Na\u00efve":[142],"Bayes":[143],"(CNB),":[144],"k-Nearest":[145],"Neighbor":[146],"(KNN),":[147],"Random":[148,238],"Forest":[149,239],"(RF),":[150],"Logistic":[152],"Regression":[153],"(LR).":[154],"Moreover,":[155],"analyze":[157],"evaluate":[159],"set":[163,197],"several":[165],"subsets.":[169],"models":[171],"are":[172],"trained":[173],"tested":[175],"modern,":[177],"reliable":[178],"datasets,":[179],"namely":[180],"CIC-DDoS2019,":[182],"SDN-DDoS":[183],"Traffic,":[184],"CIC-IoT":[185],"2023,":[186],"VeReMi":[188],"datasets.":[189],"results":[191,243],"demonstrate":[192],"delivered":[198],"suboptimal":[199],"performance":[200,246,264],"not":[201],"only":[202],"in":[203,211,226],"Software-Defined":[205],"Networking":[206],"(SDN)":[207],"environment":[208],"but":[209],"also":[210],"Vehicular":[213],"Ad-hoc":[214],"Network":[215],"(VANET)":[216],"context,":[217],"thereby":[218],"confirming":[219],"its":[220],"limited":[221],"generalizability.":[222],"Its":[223],"efficacy":[224],"was,":[225],"fact,":[227],"confined":[228],"Internet":[231],"Things":[233],"(IoT)":[234],"environment,":[235],"where":[236],"algorithm":[240],"achieved":[241],"superior":[242],"across":[244],"all":[245],"metrics.":[247],"Although":[248],"offers":[251],"constrained":[253],"methodological":[254],"contribution,":[255],"it":[256],"experimentally":[257],"identifies":[258],"critical":[260],"shortcoming":[261],"affecting":[262],"stability:":[265],"strong":[267],"linear":[268],"correlation":[269],"between":[270],"two":[271],"within":[273]},"counts_by_year":[],"updated_date":"2026-01-24T23:23:39.755997","created_date":"2026-01-14T00:00:00"}