Evaluating Temporal and Structural Anomaly Detection Paradigms for DDoS Traffic

TL;DR

This paper evaluates whether temporal or structural features are more effective for unsupervised anomaly detection of DDoS attacks in 5G networks, proposing a decision framework to select the best feature space.

Contribution

It introduces a lightweight framework that determines whether to prioritize temporal or structural features before anomaly detection, based on diagnostics.

Findings

Structural features outperform temporal features in anomaly detection.

The performance gap widens as temporal dependence weakens.

The framework effectively guides feature space selection for DDoS detection.

Abstract

Unsupervised anomaly detection is widely used to detect Distributed Denial-of-Service (DDoS) attacks in cloud-native 5G networks, yet most studies assume a fixed traffic representation, either temporal or structural, without validating which feature space best matches the data. We propose a lightweight decision framework that prioritizes temporal or structural features before training, using two diagnostics: lag-1 autocorrelation of an aggregated flow signal and PCA cumulative explained variance. When the probes are inconclusive, the framework reserves a hybrid option as a future fallback rather than an empirically validated branch. Experiments on two statistically distinct datasets with Isolation Forest, One-Class SVM, and KMeans show that structural features consistently match or outperform temporal ones, with the performance gap widening as temporal dependence weakens.