Description:FIELD OF THE INVENTION

[0001] The present invention relates to a cybersecurity system for detecting DDoS attacks in real time enabling continuous monitoring and analyzing of network traffic patterns for promptly identifying abnormal activities and generating immediate alerts to mitigate potential cyber threats.

BACKGROUND OF THE INVENTION

[0002] In recent years, the increasing reliance on internet-based services and connected infrastructure has made computer networks highly susceptible to cyberattacks, particularly Distributed Denial-of-Service (DDoS) attacks. These attacks aim to overwhelm target systems with massive volumes of malicious traffic, rendering services unavailable to legitimate users and causing significant disruptions to business operations and data safety.

[0003] Traditional DDoS detection methods often rely on signature-based or threshold-based arrangements that lack adaptability and real-time responsiveness. These methods involve static rule sets or historical baselines, which are insufficient to detect sophisticated and evolving DDoS attack strategies. Also, many existing systems fail to efficiently process high volumes of network traffic or accurately differentiate between legitimate traffic spikes and malicious activities.

[0004] US2024223600A1 discloses an apparatus and lightweight method detects and prevents DDoS attacks in a 5G-IoT slice in real-time without putting the stress of security on the constrained IoT devices. The apparatus includes eight IoT devices, a gNB, and 5G core network. The core network includes of AMF, SMF, UPF, PCF, UDR, and Network Data Analytics Function (NWDAF). 5 IoT devices connected to an IoT slice via a gNB RAN and core network are loaded with DDoS code. The gNB gives the RAN part of the slice to the IoT devices while as core network functions provide the core network part of the slice. A real-time and lightweight method consisting of Intrusion Detection System (IDS) and honeypots is designed for DDoS attack detection in 5G IoT/mMTC slices. The system identifies the attack efficiently and is able to mitigate it with less computation and storage costs.

[0005] IN100DE2012A discloses an improved system and method for analysis of certain strings that identify an attack against a web server. The client honeynet architecture deployed offers simulated web based applications in order to detect, monitor and analyse any malicious activity. The amalgamation of process of data filtering and fast analysis of packets reduces the level of false alarms from 60% to 28%.

[0006] Conventionally, many system for DDoS detection and mitigation rely on static filtering techniques, predefined rules, or manual threshold configurations, which are unable to respond effectively to rapidly evolving attack patterns or adapt to varying network conditions. These existing solutions also tend to generate high false positive rates and are computationally inefficient when processing large-scale, real-time traffic.

In order to overcome the aforementioned drawbacks, there exists a need in the art to develop a system that requires to be capable of accurately detect DDoS attacks in real time by leveraging optimized feature extraction and classification features.

OBJECTS OF THE INVENTION

[0007] The principal object of the present invention is to overcome the disadvantages of the prior art.

[0008] An object of the present invention is to develop a cybersecurity solution capable of continuously and autonomously monitoring network traffic, thereby reducing reliance on manual analysis and improving network security.

[0009] Another object of the present invention is to develop a method that promptly identifies DDoS attack patterns by extracting and optimizing relevant features from network data, facilitating early detection and rapid response to threats.

[0010] Another object of the present invention is to develop a system enabling network administrators to take immediate mitigating actions and minimize service disruption.

[0011] Another object of the present invention is to develop a scalable solution capable of handling large volumes of network traffic data without compromising detection speed or accuracy.

[0012] Yet another object of the present invention is to develop a system providing comprehensive protection against DDoS attacks in diverse network environments.

[0013] The foregoing and other objects, features, and advantages of the present invention will become readily apparent upon further review of the following detailed description of the preferred embodiment as illustrated in the accompanying drawings.

SUMMARY OF THE INVENTION

[0014] The present invention relates to a cybersecurity system for detecting DDoS attacks in real time to detect Distributed Denial of Service (DDoS) attacks, thereby enhancing real-time attack detection and network protection.

[0015] According to an embodiment of the present invention, a cybersecurity system for detecting DDoS attacks in real time, comprises a data collection module that gathers network traffic data, a feature extraction module connected to the data collection module, to identify patterns related to DDoS attacks and takes network traffic data from a Data Collection Module and uses pre-trained models to identify both, the data collection module disclosed herein includes a preprocessing unit that normalizes network traffic data to ensure consistent input for the feature extraction module, a feature optimization module connected to the feature extraction module, to reduce data size and speed up processing and uses a whale optimization protocols to choose only the most important patterns and receives patterns from a Feature Extraction Module, the whale optimization protocol disclosed herein reduces the number of patterns processed by at least 50%.

[0016] According to another embodiment of the present invention, a classification module connected to the feature optimization module, to identify whether the network traffic is normal or a DDoS attack, an output module connected to the classification module for immediate action, a scaling and adapting module works with the classification Module to handle large amounts of network traffic and adjust to new types of DDoS attacks, the pre-trained models include a combination of convolutional neural networks and recurrent neural networks to capture both spatial and temporal patterns in network traffic data,

[0017] While the invention has been described and shown with particular reference to the preferred embodiment, it will be apparent that variations might be possible that would fall within the scope of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS

[0018] These and other features, aspects, and advantages of the present invention will become better understood with regard to the following description, appended claims, and accompanying drawings where:
Figure 1 illustrates a flow chart of a cybersecurity system for detecting DDoS attacks in real time.

DETAILED DESCRIPTION OF THE INVENTION

[0019] The following description includes the preferred best mode of one embodiment of the present invention. It will be clear from this description of the invention that the invention is not limited to these illustrated embodiments but that the invention also includes a variety of modifications and embodiments thereto. Therefore, the present description should be seen as illustrative and not limiting. While the invention is susceptible to various modifications and alternative constructions, it should be understood, that there is no intention to limit the invention to the specific form disclosed, but, on the contrary, the invention is to cover all modifications, alternative constructions, and equivalents falling within the spirit and scope of the invention as defined in the claims.

[0020] In any embodiment described herein, the open-ended terms "comprising," "comprises,” and the like (which are synonymous with "including," "having” and "characterized by") may be replaced by the respective partially closed phrases "consisting essentially of," consists essentially of," and the like or the respective closed phrases "consisting of," "consists of, the like.

[0021] As used herein, the singular forms “a,” “an,” and “the” designate both the singular and the plural, unless expressly stated to designate the singular only.

[0022] The present invention relates to a cybersecurity system for detecting DDoS attacks in real time that continuously monitors network traffic patterns, thereby enhancing threat response accuracy, minimizing false positives, and providing real-time alerts to network administrators for prompt mitigation of Distributed Denial of Service (DDoS) attacks.

[0023] Referring to Figure 1, a flow chart of a cybersecurity system for detecting DDoS attacks in real time is illustrated.

[0024] The device disclosed herein includes a data collection module functions to gather raw network traffic data from various sources such as routers, switches, and endpoints. Its purpose is to acquire comprehensive information including packet headers, payload data, source and destination addresses, port numbers, and timestamps. Once collected, the module initiates a preprocessing phase wherein irrelevant or redundant information, such as corrupted packets, incomplete flows, or broadcast noise, is identified and discarded to reduce analytical interference.

[0025] The cleaned data is then standardized into a consistent format, ensuring compatibility with downstream analytical components. This formatting includes structuring the data into time-ordered logs or flow records, tagging with relevant metadata, and converting into unified data types. The module may also include basic enrichment functions, such as protocol classification or geolocation tagging, to enhance the analytical value. This prepared dataset, free from noise and inconsistencies, is then forwarded to the analysis component, enabling efficient and accurate interpretation of network behavior, anomaly detection, or performance monitoring.

[0026] A feature extraction module of the system receives the formatted and cleaned network traffic data from the data collection module and processes it to identify attributes that may indicate Distributed Denial of Service (DDoS) attack patterns. Its purpose is to transform raw traffic records into a set of meaningful indicators by analyzing packet frequency, connection rates, request-response behaviors, payload sizes, protocol usage, and temporal characteristics.

[0027] The feature extraction module examines statistical trends such as sudden spikes in traffic volume, high numbers of requests from single sources, or irregular access attempts across multiple destinations. These features are selected based on their relevance to known DDoS signatures and behaviors, including SYN floods, UDP floods, or HTTP request bursts. The output is a structured dataset of extracted features that characterize each observed traffic instance, enabling precise classification or anomaly detection by subsequent components. By isolating key behavioral traits from complex traffic streams, the module helps highlight deviations that align with potential DDoS activity.

[0028] A feature optimization module of the system operates on the output of the feature extraction module to identify and retain only the most relevant patterns, with the aim of reducing data dimensionality and improving processing efficiency. Its purpose is to evaluate the extracted features using statistical techniques or correlation analysis to determine which attributes contribute most significantly to distinguishing between normal traffic and potential DDoS activity.

[0029] Redundant, irrelevant, or low-impact features are discarded to prevent unnecessary computational load and to enhance the performance of downstream decision-making processes. The module may apply methods such as variance thresholding, mutual information ranking, or principal component analysis to refine the feature set. By selecting only the most informative patterns, the module ensures that essential characteristics are preserved while minimizing noise and resource usage. The optimized dataset, now smaller and more focused, is then passed to the classification or detection component, enabling faster and more accurate identification of DDoS attacks.

[0030] A classification module in the system receives the optimized set of features from the feature optimization module and evaluates them to determine whether the observed network traffic corresponds to normal behavior or a DDoS attack. Its purpose is to apply decision-making logic or learned models to categorize each traffic instance based on the patterns present in the refined dataset. The classification module utilize techniques such as decision trees, support vector machines, or neural networks trained on labeled datasets containing both benign and malicious traffic samples.

[0031] During operation, the classification module compares incoming feature patterns against known profiles to detect anomalies or attack signatures, such as high-frequency requests from a single source or simultaneous access to multiple endpoints. Based on the analysis, the module assigns a classification label—normal or DDoS—along with a confidence score or probability level. This outcome enables prompt recognition of malicious activity, supporting alert generation, response activation, or further investigation. By focusing on selected, high-impact features, the module ensures accurate and efficient traffic classification.

[0032] An output module of the system receives classification results from the classification module and serves to deliver real-time alerts when DDoS attacks are detected, enabling immediate awareness and response. Its purpose is to convert the analytical outcome into actionable notifications that can be understood and acted upon by network administrators or automated response tools. Upon identifying traffic labeled as a DDoS attack, the module generates alerts containing key information such as the type of attack, affected IP addresses, timestamps, and severity levels. These alerts may be delivered through various channels, including dashboards, email notifications, log entries, or API endpoints integrated with incident response platforms.

[0033] A feature extraction module for a cybersecurity application, takes in processed network traffic data from the data collection module and utilizes pre-trained models to identify relevant patterns indicative of both normal and malicious behavior. Its purpose is to convert the incoming structured data into a set of representative features by applying learned relationships derived from historical traffic patterns. The pre-trained models, developed through supervised or unsupervised learning on labeled datasets, help recognize characteristics such as traffic frequency, connection duration, protocol distribution, and packet size variations.

[0034] These features are extracted with a focus on distinguishing benign activity from anomalies commonly associated with cyber threats, including Distributed Denial of Service (DDoS) attacks. The output consists of a structured set of high-level attributes that capture the behavioral essence of the traffic, which is then passed on for further analysis or classification.

[0035] The feature optimization module for a cybersecurity application receives extracted patterns from the feature extraction module and employs a whale optimization protocols to identify and retain only the most critical features. Its purpose is to reduce the dimensionality of the data while preserving the most informative attributes that contribute to accurate threat detection. The whale optimization approach, inspired by the bubble-net hunting strategy of humpback whales, iteratively searches for the optimal subset of features by simulating exploration and exploitation behaviors within the feature space. This method evaluates the relevance of each feature in relation to the classification objective, discarding those with minimal impact on the detection of threats such as DDoS attacks.

[0036] By selecting a refined set of high-impact features, the module significantly decreases processing load, accelerates classification, and improves detection accuracy. The optimized feature set is then forwarded for final analysis, allowing the cybersecurity system to operate with greater speed and efficiency while maintaining detection reliability.

[0037] The classification module for a cybersecurity application, receives optimized patterns from the feature optimization module and applies an extreme learning machine (ELM) to rapidly determine whether the incoming network traffic represents a DDoS attack or normal activity. Its purpose is to provide swift and accurate classification by leveraging the high-speed learning capability of ELM, which uses a single-layer feedforward neural network with randomly assigned hidden node parameters and analytically determined output weights. This architecture allows for fast training and prediction while maintaining high classification accuracy.

[0038] Upon receiving the refined feature set, the module processes each instance through the ELM model, which evaluates the input based on previously learned relationships between features and known traffic behaviors.

[0039] A scaling and adapting module, operates alongside the classification module to manage large volumes of network traffic and dynamically adjust to emerging types of DDoS attacks. Its purpose is twofold: to maintain consistent system performance under varying traffic loads and to ensure continued detection accuracy as threat patterns evolve. For scalability, the module allocates computational resources and balances workloads across processing units, allowing the system to efficiently handle high-throughput traffic without delays or data loss.

[0040] For adaptability, the scaling and adapting module monitors classification results and network behavior over time, identifying deviations that may indicate novel or modified attack strategies. Based on these observations, the scaling and adapting module facilitates updates to the classification model, either by triggering retraining processes or by incorporating feedback assembly, so that the system remains responsive to new threats. This dual functionality enables the cybersecurity setup to operate reliably across diverse and changing network environments.

[0041] A data collection module in the system, includes a preprocessing unit that performs normalization of network traffic data to ensure consistency in the input provided to the feature extraction module. The purpose of this preprocessing unit is to standardize the range and format of various traffic attributes, such as packet size, connection duration, and request frequency, so that the feature extraction process operates on uniform and comparable data. This normalization involves scaling numerical values to a common range, converting categorical variables into numerical representations if needed, and aligning time-based data for chronological consistency. By removing scale-related disparities and format inconsistencies, the preprocessing unit enhances the reliability and accuracy of subsequent pattern identification.

[0042] The pre-trained models, comprise a combination of convolutional neural networks (CNNs) and recurrent neural networks (RNNs) designed to capture both spatial and temporal patterns within the network traffic data. CNNs focus on extracting spatial features by identifying local correlations and structures within traffic attributes, such as packet payload patterns or protocol-specific signatures. Meanwhile, RNNs analyze sequential dependencies and temporal dynamics, detecting trends over time like bursty traffic behavior or periodic attack signals.

[0043] By integrating these two neural network types, the models effectively learn complex representations that reflect both the instantaneous characteristics and evolving sequences present in network flows. This dual approach enables more comprehensive pattern recognition, improving the system’s ability to distinguish between normal traffic and sophisticated DDoS attacks. The combined CNN-RNN architecture within the pre-trained models enhances the feature extraction module’s capability to provide rich and informative inputs for downstream optimization and classification processes.

[0044] The whale optimization protocol, reduces the number of patterns processed by at least 50%, while retaining the most critical features necessary for accurate DDoS detection. This optimization evaluates the relevance of each extracted pattern and eliminates redundant or less informative ones through an iterative search inspired by the bubble-net hunting behavior of humpback whales. By focusing on selecting high-impact features, the protocol minimizes data dimensionality and computational overhead without sacrificing detection accuracy.

[0045] The present invention works best in the following manner, by collecting raw network traffic data from multiple sources using the dedicated data collection module which preprocesses the data by filtering out noise, normalizing attributes, and formatting the information suitable for analysis. The cleaned data is then passed to a feature extraction module, which applies pre-trained models combining convolutional neural networks and recurrent neural networks to capture both spatial and temporal patterns indicative of network behavior. From the extracted features, the feature optimization module employs the whale optimization protocol to select the most significant patterns, reducing the feature set by at least 50% while preserving those critical for accurate detection. The refined features are forwarded to the classification module utilizing extreme learning machine, which quickly and accurately distinguishes between normal network activity and DDoS attack traffic. To ensure scalability and adaptability, the scaling and adapting module monitors system performance and network conditions, adjusting resource allocation and facilitating model updates to respond to evolving attack types. Finally, the output module provides real-time alerts based on classification results, enabling prompt mitigation of detected threats.

[0046] Although the field of the invention has been described herein with limited reference to specific embodiments, this description is not meant to be construed in a limiting sense. Various modifications of the disclosed embodiments, as well as alternate embodiments of the invention, will become apparent to persons skilled in the art upon reference to the description of the invention. , Claims:1) A cybersecurity system for detecting DDoS attacks in real time, comprising:

i) a data collection module that gathers network traffic data and prepares it by removing noise and formatting it for analysis;
ii) a feature extraction module connected to the data collection module, which processes the formatted data to identify patterns related to DDoS attacks;
iii) a feature optimization module connected to the feature extraction module, which selects the most important patterns to reduce data size and speed up processing;
iv) a classification module connected to the feature optimization module, which analyzes the selected patterns to identify whether the network traffic is normal or a DDoS attack; and
v) an output module connected to the classification module, which provides real-time alerts about detected DDoS attacks for immediate action.

2) The system as claimed in claim 1, the feature extraction Module for a cybersecurity system, which takes network traffic data from a Data Collection Module and uses pre-trained models to identify both.

3) The system as claimed in claim 1, wherein the feature optimization Module for a cybersecurity system, which receives patterns from a Feature Extraction Module and uses a whale optimization protocols to choose only the most important patterns, making the system faster and more efficient.

4) The system as claimed in claim 1, the classification module for a cybersecurity system, which takes optimized patterns from a feature optimization module and uses an extreme learning machine to quickly decide if the network traffic is a DDoS attack or normal activity.

5) The system as claimed in claim 1, a scaling and adapting module works with the classification Module to handle large amounts of network traffic and adjust to new types of DDoS attacks, ensuring the system works well in different network environments.

6) The system as claimed in claim 1, wherein the data collection module includes a preprocessing unit that normalizes network traffic data to ensure consistent input for the feature extraction module.

7) The system as claimed in claim 1, wherein the pre-trained models include a combination of convolutional neural networks and recurrent neural networks to capture both spatial and temporal patterns in network traffic data.

8) The system as claimed in claim 1, wherein the whale optimization protocol reduces the number of patterns processed by at least 50% while keeping the most critical ones for accurate DDoS detection.