Per-Attack-Type Evidence Aggregation for Interpreting Multi-Agent Ddos Detection

Authors

  • Bekov Sanjar Nigmandjanovich Independent Researcher at Tashkent International University

DOI:

https://doi.org/10.51699/cajitmf.v7i3.1320

Keywords:

DDoS detection, multi-agent systems, evidence aggregation, evidence fusion, analyst console, attack taxonomy, explainable machine learning, ablation analysis

Abstract

Multi-agent Distributed Denial-of-Service (DDoS) detection decomposes the decision-making process into a supervised classification agent, an anomaly detection agent, a normal-behavior or baseline-deviation agent, and a transparent rule-based evidence agent. The outputs of these agents are subsequently integrated by an evidence-fusion agent to yield a unified risk score and discrete risk level. While this architectural approach enhances modularity and interpretability, it poses a pivotal evaluation challenge: for each attack category, which detector provides the primary discriminative signal, and how does evidence fusion reconcile partial or conflicting evidence? This paper introduces a per-attack-type evidence aggregation methodology, accompanied by an analyst console visualization. For each analysis window, five normalized signals are retained: classification probability, anomaly score, baseline-deviation score, rule-evidence score, and fused risk. Records are grouped by scenario, and empirical means, dispersion statistics, peak risk, and maximum ordinal risk levels are computed for SYN, UDP, HTTP, amplification, and benign reference scenarios. The resulting visualization elucidates detector complementarity, disagreement, and the consistency of evidence fusion across the attack taxonomy. This methodology is explicitly diagnostic and not intended as a replacement for accuracy-based evaluation; it is used in conjunction with per-class precision, recall, F1 score, confusion matrices, cross-dataset validation, and agent ablation experiments. The principal contribution is an analyst-centered methodology for interpreting multi-agent DDoS detection outcomes, while rigorously controlling for alert-selection bias, target leakage, imbalanced sample counts, and intra-class variability.

References

K. P. Murphy, Machine Learning: A Probabilistic Perspective. Cambridge, MA, USA: MIT Press, 2012.

J. Mirkovic and P. Reiher, “A taxonomy of DDoS attack and DDoS defense mechanisms,” ACM SIGCOMM Computer Communication Review, vol. 34, no. 2, pp. 39–53, 2004.

S. T. Zargar, J. Joshi, and D. Tipper, “A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks,” IEEE Communications Surveys & Tutorials, vol. 15, no. 4, pp. 2046–2069, 2013.

I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, “Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy,” in Proc. International Carnahan Conference on Security Technology, 2019.

R. Sommer and V. Paxson, “Outside the closed world: On using machine learning for network intrusion detection,” in Proc. IEEE Symposium on Security and Privacy, 2010.

A. L. Buczak and E. Guven, “A survey of data mining and machine learning methods for cyber security intrusion detection,” IEEE Communications Surveys & Tutorials, vol. 18, no. 2, pp. 1153–1176, 2016.

Y. Shoham, “Agent-oriented programming,” Artificial Intelligence, vol. 60, no. 1, pp. 51–92, 1993.

M. Wooldridge and N. R. Jennings, “Intelligent agents: Theory and practice,” The Knowledge Engineering Review, vol. 10, no. 2, pp. 115–152, 1995.

J. S. Balasubramaniyan et al., “An architecture for intrusion detection using autonomous agents,” in Proc. Annual Computer Security Applications Conference, 1998.

E. H. Spafford and D. Zamboni, “Intrusion detection using autonomous agents,” Computer Networks, vol. 34, no. 4, pp. 547–570, 2000.

R. Abu Bakar et al., “An intelligent agent-based detection system for DDoS attacks using automatic feature extraction and selection,” Sensors, vol. 23, no. 6, p. 3333, 2023.

R. Kohavi, “A study of cross-validation and bootstrap for accuracy estimation and model selection,” in Proc. International Joint Conference on Artificial Intelligence, 1995.

S. Varma and R. Simon, “Bias in error estimation when using cross-validation for model selection,” BMC Bioinformatics, vol. 7, p. 91, 2006.

T. Saito and M. Rehmsmeier, “The precision-recall plot is more informative than the ROC plot when evaluating binary classifiers on imbalanced datasets,” PLOS ONE, vol. 10, no. 3, e0118432, 2015.

J. Gama et al., “A survey on concept drift adaptation,” ACM Computing Surveys, vol. 46, no. 4, article 44, 2014.

M. T. Ribeiro, S. Singh, and C. Guestrin, “Why should I trust you? Explaining the predictions of any classifier,” in Proc. ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 2016.

S. M. Lundberg and S.-I. Lee, “A unified approach to interpreting model predictions,” in Advances in Neural Information Processing Systems, 2017.

M. Ring, S. Wunderlich, D. Scheuring, D. Landes, and A. Hotho, “A survey of network-based intrusion detection datasets,” Computers & Security, vol. 86, pp. 147–167, 2019.

[19] G. Engelen, V. Rimmer, and W. Joosen, “Troubleshooting an intrusion detection dataset: The CICIDS2017 case study,” in IEEE Security and Privacy Workshops, 2021.

[20] N. Koroniotis, N. Moustafa, E. Sitnikova, and B. Turnbull, “Towards the development of realistic botnet dataset in the Internet of Things for network forensic analytics: Bot-IoT dataset,” Future Generation Computer Systems, vol. 100, pp. 779–796, 2019.

Downloads

Published

2026-06-09

How to Cite

Nigmandjanovich, B. S. (2026). Per-Attack-Type Evidence Aggregation for Interpreting Multi-Agent Ddos Detection. Central Asian Journal of Innovations on Tourism Management and Finance, 7(3), 406–420. https://doi.org/10.51699/cajitmf.v7i3.1320

Issue

Vol. 7 No. 3 (2026): July

Section

Articles

License

Copyright (c) 2026 Central Asian Journal of Innovations on Tourism Management and Finance

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

In submitting the manuscript to the Central Asian Journal of Innovations on Tourism Management and Finance, the authors certify that:

  • They are authorized by their co-authors to enter into these arrangements.
  • The work described has not been formally published before, except in the form of an abstract or as part of a published lecture, review, thesis, or overlay journal.
  • That it is not under consideration for publication elsewhere,
  • The publication has been approved by the author(s) and by responsible authorities – tacitly or explicitly – of the institutes where the work has been carried out.
  • They secure the right to reproduce any material that has already been published or copyrighted elsewhere.
  • They agree to the following license and copyright agreement.

License and Copyright Agreement

Authors who publish with Central Asian Journal of Innovations on Tourism Management and Finance agree to the following terms:

  1. Authors retain copyright and grant the Central Asian Journal of Innovations on Tourism Management and Finance right of first publication with the work simultaneously licensed under Creative Commons Attribution License (CC BY 4.0) that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
  2. Authors can enter into separate, additional contractual arrangements for the non-exclusive distribution of the Central Asian Journal of Innovations on Tourism Management and Finance published version of the work (e.g., post it to an institutional repository or edit it in a book), with an acknowledgment of its initial publication in this journal.
  3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) before and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.