<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE article PUBLIC "-//NLM//DTD Journal Publishing DTD v3.0 20080202//EN" "http://dtd.nlm.nih.gov/publishing/3.0/journalpublishing3.dtd">
<article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" dtd-version="3.0" xml:lang="en" article-type="research article">
 <front>
  <journal-meta>
   <journal-id journal-id-type="publisher-id">
    jcc
   </journal-id>
   <journal-title-group>
    <journal-title>
     Journal of Computer and Communications
    </journal-title>
   </journal-title-group>
   <issn pub-type="epub">
    2327-5219
   </issn>
   <issn publication-format="print">
    2327-5227
   </issn>
   <publisher>
    <publisher-name>
     Scientific Research Publishing
    </publisher-name>
   </publisher>
  </journal-meta>
  <article-meta>
   <article-id pub-id-type="doi">
    10.4236/jcc.2024.1212014
   </article-id>
   <article-id pub-id-type="publisher-id">
    jcc-138554
   </article-id>
   <article-categories>
    <subj-group subj-group-type="heading">
     <subject>
      Articles
     </subject>
    </subj-group>
    <subj-group subj-group-type="Discipline-v2">
     <subject>
      Computer Science 
     </subject>
     <subject>
       Communications
     </subject>
    </subj-group>
   </article-categories>
   <title-group>
    Big Data&amp;DDoS ATTACKS: A Discussion of Ensemble Algorithms to Detect Cyber Attacks
   </title-group>
   <contrib-group>
    <contrib contrib-type="author" xlink:type="simple">
     <name name-style="western">
      <surname>
       Anja
      </surname>
      <given-names>
       Housden-Brooks
      </given-names>
     </name>
    </contrib>
   </contrib-group> 
   <aff id="affnull">
    <addr-line>
     aAnglia Ruskin University, Cambridge, UK
    </addr-line> 
   </aff> 
   <pub-date pub-type="epub">
    <day>
     03
    </day> 
    <month>
     12
    </month>
    <year>
     2024
    </year>
   </pub-date> 
   <volume>
    12
   </volume> 
   <issue>
    12
   </issue>
   <fpage>
    246
   </fpage>
   <lpage>
    265
   </lpage>
   <history>
    <date date-type="received">
     <day>
      20,
     </day>
     <month>
      September
     </month>
     <year>
      2024
     </year>
    </date>
    <date date-type="published">
     <day>
      27,
     </day>
     <month>
      September
     </month>
     <year>
      2024
     </year> 
    </date> 
    <date date-type="accepted">
     <day>
      27,
     </day>
     <month>
      December
     </month>
     <year>
      2024
     </year> 
    </date>
   </history>
   <permissions>
    <copyright-statement>
     © Copyright 2014 by authors and Scientific Research Publishing Inc. 
    </copyright-statement>
    <copyright-year>
     2014
    </copyright-year>
    <license>
     <license-p>
      This work is licensed under the Creative Commons Attribution International License (CC BY). http://creativecommons.org/licenses/by/4.0/
     </license-p>
    </license>
   </permissions>
   <abstract>
    The use of machine learning algorithms to identify characteristics in Distributed Denial of Service (DDoS) attacks has emerged as a powerful approach in cybersecurity. DDoS attacks, which aim to overwhelm a network or service with a flood of malicious traffic, pose significant threats to online systems. Traditional methods of detection and mitigation often struggle to keep pace with the evolving nature of these attacks. Machine learning, with its ability to analyze vast amounts of data and recognize patterns, offers a robust solution to this challenge. The aim of the paper is to demonstrate the application of ensemble ML algorithms, namely the K-Means and the KNN, for a dual clustering mechanism when used with PySpark to collect 99% accurate data. The algorithms, when used together, identify distinctive features of DDoS attacks that prove a very accurate reflection of reality, so they are a good combination for this aim. Impressively, having preprocessed the data, both algorithms with the PySpark foundation enabled the achievement of 99% accuracy when tuned on the features of a DDoS big dataset. The semi-supervised dataset tabulates traffic anomalies in terms of packet size distribution in correlation to Flow Duration. By training the K-Means Clustering and then applying the KNN to the dataset, the algorithms learn to evaluate the character of activity to a greater degree by displaying density with ease. The study evaluates the effectiveness of the K-Means Clustering with the KNN as ensemble algorithms that adapt very well in detecting complex patterns. Ultimately, cross-reaching environmental results indicate that ML-based approaches significantly improve detection rates compared to traditional methods. Furthermore, ensemble learning methods, which combine two plus multiple models to improve prediction accuracy, show greatness in handling the complexity and variability of big data sets especially when implemented by PySpark. The findings suggest that the enhancement of accuracy derives from newer software that’s designed to reflect reality. However, challenges remain in the deployment of these systems, including the need for large, high-quality datasets and the potential for adversarial attacks that attempt to deceive the ML models. Future research should continue to improve the robustness and efficiency of combining algorithms, as well as integrate them with existing security frameworks to provide comprehensive protection against DDoS attacks and other areas. The dataset was originally created by the University of New Brunswick to analyze DDoS data. The dataset itself was based on logs of the university’s servers, which found various DoS attacks throughout the publicly available period to totally generate 80 attributes with a 6.40GB size. In this dataset, the label and binary column become a very important portion of the final classification. In the last column, this means the normal traffic would be differentiated by the attack traffic. Further analysis is then ripe for investigation. Finally, malicious traffic alert software, as an example, should be trained on packet influx to Flow Duration dependence, which creates a mathematical scope for averages to enact. In achieving such high accuracy, the project acts as an illustration (referenced in the form of excerpts from my Google Colab account) of many attempts to tune. Cybersecurity advocates for more work on the character of brute-force attack traffic and normal traffic features overall since most of our investments as humans are digitally based in work, recreational, and social environments.
   </abstract>
   <kwd-group> 
    <kwd>
     K-Means Clustering
    </kwd> 
    <kwd>
      The KNN Algorithm
    </kwd> 
    <kwd>
      PySpark
    </kwd> 
    <kwd>
      Ensemble Learning Methods
    </kwd> 
    <kwd>
      DDoS Attacks
    </kwd> 
    <kwd>
      Veracity
    </kwd> 
    <kwd>
      Malicious Traffic Alert Systems
    </kwd>
   </kwd-group>
  </article-meta>
 </front>
 <body>
  <sec id="s1">
   <title>1. Introduction</title>
   <p>If one considers a popular online gaming platform like StarCraft hosting a highly anticipated tournament, when going live, players and viewers alike could find themselves unable to connect whilst experiencing disconnections. This may well be due to a DDoS attack targeting the game server by flooding it with bogus traffic. DDoS or Distributed Denial of Service attacks are malicious attempts to disrupt online services by overwhelming servers with a flood of traffic from multiple sources.</p>
   <p>“These attacks render the targeted services unavailable to legitimate users, causing downtime, financial losses, and reputational damage to businesses. Unlike data breaches or malware infections, DDoS attacks aim to disrupt services” <xref ref-type="bibr" rid="scirp.138554-1">
     [1]
    </xref> rather than ruining data. This is achieved by swamping the target with mass traffic, making sites inaccessible to legitimate users. The motivations range, for example, could realise as a “competitor … launch[ing] a DDoS attack against a rival’s website during a peak sales period to disrupt their business” <xref ref-type="bibr" rid="scirp.138554-1">
     [1]
    </xref> and gain an advantage over them.</p>
   <p>Over time, the world has transformed from the technologically superior landscape at our feet today. People are now dependent on the internet. Gadgets are constantly interconnected to the digital ecosystem. The internet is a global information source. Despite this, cybercriminals’ attacker knowledge has strengthened and resulted in different methodologies being used to access company data stores, which is one example of a cyberattack. Moreover, DDoS attacks remain the most effective methods used by criminals to cause substantial damage to organizations globally in terms of operational, reputational, and financial problems. The victim’s network is flooded with massive illegal traffic, hence denying genuine traffic from passing through for authorized users <xref ref-type="bibr" rid="scirp.138554-2">
     [2]
    </xref>.</p>
   <p>
    <xref ref-type="bibr" rid="scirp.138554-"></xref>Recent data shows a significant evolution in the landscape of Distributed Denial of Service attacks, “with trends observed in 2024”. Due to rising sophistication and volume in the first half of 2024 <xref ref-type="bibr" rid="scirp.138554-3">
     [3]
    </xref>. Cloudflare mitigated 8.5 million DDoS attacks, marking a 20% increase compared to the same period in 2023 <xref ref-type="bibr" rid="scirp.138554-3">
     [3]
    </xref>. The attacks are becoming increasingly sophisticated, leveraging advanced techniques that were once the domain of state-sponsored actors but are now accessible to ordinary cybercriminals, which means the data should be read as accurately as possible to gain control of the problem. The average size of these attacks has also grown, with many targeting critical infrastructure and services. This is why size to time ratio is important. Shifts in attack strategies can be seen through the facts and figures summed up here: “Although the total number of DDoS attacks has decreased by about 54.7%, the average attack size has increased by over 233% compared to the previous year” <xref ref-type="bibr" rid="scirp.138554-3">
     [3]
    </xref>. This suggests a strategic shift towards fewer but more impactful and, therefore, complex attacks.</p>
   <p>K-Means Clustering, which is used with the KNN algorithm, incorporates the data accounting for the individual differences in attack profiles and creates grounds to recommend tailored intervention to precise degrees. This is due to the ability of the latter to cross-validate, a weakness of the K-Means, which works best on less complex datasets and can efficiently collate centroids but shows most effectiveness in preparing data for the application of the KNN in the instance of organizing big and complex datasets. Catching subtle and low-rate DDoS attacks that may elide threshold-based detection is also of interest. K-Means Clustering with the KNN enables real-time analysis of multiple traffic features simultaneously revealing the bursts of impactful DDoS attacks and implying idioms of character due to the excellent density range detection. Can K-Means clustering combined with the KNN and PySpark find new patterns that might be of interest to the wider body of work on DDOS Attacks? This study proves they do.</p>
   <p>Cloud Computing says DDoS attacks are “A flood of traffic from users who share a single behavioral profile, such as device type, geolocation … unexplained surge in requests to a single page or endpoint … odd traffic patterns such as spikes at odd hours of the day or patterns that appear to be unnatural (e.g., a spike every 10 minutes)” <xref ref-type="bibr" rid="scirp.138554-3">
     [3]
    </xref>. Algorithms have already identified indicators, but more can be sought.</p>
   <p>ML algorithms can analyze large volumes of network traffic data to identify patterns and anomalies connected with DDoS attacks. This allows for better accuracy differentiation between more severe attack spikes that could cause the company grave problems and less damaging ones to normal traffic. Furthermore, ML models can process network data quickly, enabling timely identification of the ongoing issue of these attacks. The benefit of having as much information built into a generative system is a possibility for businesses and YouTubers alike to immediately mitigate responses through fast detection. By learning from historical data, machine learning approaches aim to minimize false alarms from less threatening traffic but create contingent computerized initializations when facing problematic attacks.</p>
   <p>
    <xref ref-type="bibr" rid="scirp.138554-"></xref>The objective then is to develop smart algorithms for detecting the character of attacks based on K-Means Clustering when used with the very versatile KNN as a double algorithm launched on the dataset on a PySpark foundation.</p>
  </sec><sec id="s2">
   <title>2. PySpark</title>
   <p>Additionally, PySpark creates the environment for the data to organize before K-means and the KNN can successfully cluster which offers several key benefits for big data analysis through machine learning in terms of scalability and performance <xref ref-type="bibr" rid="scirp.138554-4">
     [4]
    </xref>. PySpark provides distributed computing capabilities, allowing K-means clustering and the KNN to be performed on very large datasets that would prove troublesome in terms of veracity and volume had PySpark not been used firstly.</p>
   <p>For efficient data processing, PySpark’s distributed data engine efficiently handles data preparation, feature engineering, and other preprocessing steps <xref ref-type="bibr" rid="scirp.138554-5">
     [5]
    </xref> before applying K-means and the KNN for the clustering process. This streamlines the entire workflow from raw data to supervised results. Moreover, iterative attempts to control the size of the data eventually leads to algorithm optimization in K-means which then translates to a more precise solution as opposed to taking giant leaps. Incremental Python code used in Colab pre-tunes centroid distributions through numeric relevance by using the greater or smaller than operand to highlight packet amount according to time duration thus highlighting differences in normal traffic and bruteforce attack traffic.</p>
   <p>PySpark’s in-built computing allows for fast iterations when refining [labels] <xref ref-type="bibr" rid="scirp.138554-4">
     [4]
    </xref>. This speeds up the overall clustering process when the algorithms are launched in large datasets. PySpark’s MatplotLib library also provides a computerized canvas for the visualization of a K-means to KNN implementation that integrates seamlessly with other data processing steps <xref ref-type="bibr" rid="scirp.138554-6">
     [6]
    </xref>. PySpark allows K-means to be incorporated into more complex ML workflows. “K-Means is an unsupervised learning algorithm that clusters data into groups. You pass the algorithm some data and specify how many groups you would like it to find. It will then try to split the data into groups Furthermore, its streaming enables real-time clustering on streamed data” <xref ref-type="bibr" rid="scirp.138554-7">
     [7]
    </xref> which allows for dynamic multi-modal clustering of data points and attendant updating of cluster assignments on the quick. Moreover, parallel model training is also compatible with the K-means models with different parameters as in the centroids to average ratio and can be trained via parallel leveraging PySpark’s distributed computing <xref ref-type="bibr" rid="scirp.138554-8">
     [8]
    </xref> which clearly enables more efficient parameter tuning.</p>
  </sec><sec id="s3">
   <title>
    <xref ref-type="bibr" rid="scirp.138554-"></xref>3. Literature Review</title>
   <p>Several studies have demonstrated the effectiveness of ensemble methods for DDoS detection and thus are a powerful approach for detecting attacks, offering improved accuracy and robustness compared to single machine learning models. This literature review re-examines recent research on ensemble methods for DDoS attack detection. When under attack, the system remains busy with false requests rather than offering usual services to legitimate agents. These attacks have been increasing with time and are now more complex. Consequently, it has become difficult to detect the character of attacks and thereby work to secure servers.</p>
   <p>The dataset is characterized by contemporary types of attacks such as forward flows, packets in the forward direction, average number in bytes in the forward direction, average number of bytes in the backward direction with many other tabulated titles or various relevance. It was decided that the columns: flow duration and packets in the forward Direction were important what with the segmenting deployment capability of the binary label column in this study which binarized the data into malicious and non-malicious traffic according to preprocessed parameters.</p>
   <p>“WEKA used to classify various types of attacks. It has been observed that J48 algorithm produced best results as compared to Random Forest and Naïve Bayes algorithms” <xref ref-type="bibr" rid="scirp.138554-7">
     [7]
    </xref>. J48 is an implementation of the C4.5 decision tree algorithm developed by Ross Quinlan. It is used to generate a decision tree for classification tasks. “J48 is an extension of the earlier ID3 algorithm, with additional features to address limitations of ID3” <xref ref-type="bibr" rid="scirp.138554-8">
     [8]
    </xref>.</p>
   <p>Random Forest, an ensemble of decision trees, has shown promising results in DDoS detection. A study by Das et al. <xref ref-type="bibr" rid="scirp.138554-9">
     [9]
    </xref> used an ensemble of unsupervised machine learning algorithms, including Random Forest, to implement an intrusion detection system with high accuracy for detecting attacks. The authors found that the ensemble approach outperformed existing methods and provided better generalization. The proposed approach “is validated using datasets with various modern type of attacks such as HTTP flood, SIDDoS and normal traffic” <xref ref-type="bibr" rid="scirp.138554-10">
     [10]
    </xref>.</p>
   <p>In a study where twelve clustering ensemble algorithms are compared to choose a basic, most efficient one, the k-means, with different initializations as generative mechanism and average-linkage as the consensus function was alone good although the dataset was smaller than the one used here. Generally, studies so far show that when ensemble size increases, the performance improves especially when data is of a similarity matrix <xref ref-type="bibr" rid="scirp.138554-11">
     [11]
    </xref> of a similarity matrix to partition data into clusters.</p>
   <p>The K-means searches for its nearest neighbour but can be compromised by outliers unlike the KNN which more easily learns from patterns and is used by streaming giants Facebook and Spotify <xref ref-type="bibr" rid="scirp.138554-12">
     [12]
    </xref>. Generally, studies so far show “as ensemble size increases, the performance of clustering ensemble improves” <xref ref-type="bibr" rid="scirp.138554-13">
     [13]
    </xref>. Unilateral clustering ensemble algorithms are better than narrow clustering due to the influence of diversity on the clusters as instructive to “selecting members” <xref ref-type="bibr" rid="scirp.138554-13">
     [13]
    </xref>.</p>
   <p>Using PySpark’s in-built MatPlotLib for visualisation byway clustering ensemble methods are touched upon in one comprehensive paper that develops a multiple source dataset and observes its visualization utilizing PySpark to detect outliers and their possible meaning when applying the clustering algorithms. Instead of devoicing the outlier, the paper demonstrated that “the Kafka [used] as a message … [with] flat incremental clustering is done to develop a frame of the normal activities based on the dataset for training. The clusters are produced dynamically and are not fixed” <xref ref-type="bibr" rid="scirp.138554-14">
     [14]
    </xref>. In this case the classification is leveraged by the meaning of the outlier which PySpark allows.</p>
   <p>Towards advances in use of sensor technology, it is now possible to acquire “hyperspectral data simultaneously in hundreds of bands” <xref ref-type="bibr" rid="scirp.138554-15">
     [15]
    </xref>. The new algorithms can both reduce the dimensionality of the initial data set by handling highly correlated bands and exploit the information in these data sets very effectively. The authors of the paper promote a set of feature extraction algorithms that are simple yet fast, especially effective for classification of high dimensional data which I believe posed a problem in this study for acquiring decent visual data that refers to Brute-Force traffic and not just Benign which was achieved yet was good for displaying the ability for complex and accurate visualization. The techniques deployed by these algorithms intelligently mix subsets of adjacent bands into a smaller number of features as is the usual case with the KNN which did provide excellent centroid partitioning as shown below using an example of normal traffic features and achieved 99% accuracy, providing very good results that can also be interchanged for the inspection of malicious traffic.</p>
   <p>
    <xref ref-type="bibr" rid="scirp.138554-"></xref>In the study top-down and bottom-up algorithms recursively partition bands into two—not particularly equal—sets of bands before replacing them by the mean values. “The bottom-up algorithm builds an agglomerative tree by merging highly correlated adjacent bands and projecting them… yielding high discrimination among classes” <xref ref-type="bibr" rid="scirp.138554-15">
     [15]
    </xref>. The latest algorithms find variable length “localized in wavelength, [and] favor grouping highly correlated adjacent bands that, either by taking their mean or … linear projection, [and thus] yield maximum discrimination” <xref ref-type="bibr" rid="scirp.138554-15">
     [15]
    </xref>, The aforenoted study was conducted on the AVIRIS data set for a 12-class problem and reveal improvement in accuracy while using a smaller number of features.</p>
   <p>Amin Karami’s paper on the matter of preventing severe DDoS attacks in the current techno-climate looks at Information-Centric Networking (ICN), receiver-driven paradigm shifts in the broader tech horizon—and its relationship with defense—against new forms of potentially unknown attacks with the focus on privacy. Blocking malicious network traffic, thus limiting damage. DDoS attacks translate to many problems such as congestion control, and cache pollution. “In order to protect NDN infrastructure, we need flexible, adaptable and robust defense systems which can make intelligent—and real-time—decisions to enable network entities to behave in an adaptive and intelligent manner” <xref ref-type="bibr" rid="scirp.138554-16">
     [16]
    </xref>. Computational intelligence materializes in “adaption, fault tolerance, high computational speed” <xref ref-type="bibr" rid="scirp.138554-16">
     [16]
    </xref> make them suitable.</p>
   <p>To the matter of unsupervised data or semi-supervised machine learning can be used for obtaining categories of unlabeled or partially labeled data based on applicable metrics based on dissimilarity. Further on, the data is completely assigned the labels as per the algorithms’ observed differentiation. “The features are taken for victim-end identification of attacks and the work is demonstrated with three features … using agglomerative and K-means … to label the data and obtain classes to distinguish attacks from normal traffic” <xref ref-type="bibr" rid="scirp.138554-17">
     [17]
    </xref>. In a study, K-Nearest Neighbors (the KNN), Support Vector Machine (SVM) and Random Forest (RF) [were] implemented to obtain classification. “The KNN, SVM and RF models in experimental results provide 95%, 92% and 96.66% accuracy scores respectively under optimized parameter tuning within given sets of values” <xref ref-type="bibr" rid="scirp.138554-17">
     [17]
    </xref>. Ultimately, the schema is also validated using a subset of benchmark dataset with new vectors of attack.</p>
   <p>Numerous studies have focused on developing machine learning (ML) classifier and artificial intelligence (AI) assistance for the prediction so one can capture traffic data. Several prominent clustering algorithms have been employed in the context of DDoS attack detection, including the ones here.</p>
   <p>
    <xref ref-type="bibr" rid="scirp.138554-"></xref>K-means clustering is one of the most widely used and partitions data into K clusters by minimizing the sum of squared distances between data points and their respective cluster centers. Algorithms constructs a hierarchy of clusters, starting from individual data points and merging them into larger clusters based on similarity measures. Additionally, density-based methods like the KNN identify clusters based on regions of high density in the data. Traffic classification through clustering algorithms is used to classify network traffic into different categories of Normal traffic which is what was successfully achieved in this paper illustrating behavior if the centroids are intelligibly and logically organized in the preceding preprocessing stage. It is also worth noting that by clustering IP addresses or other network identifiers, clustering algorithms can help identify the sources of DDoS attacks and can be used to group similar DDoS attack patterns in proximation to the origin, enabling the selection of appropriate mitigation strategies.</p>
   <p>Challenges and limitations exist, however. These belong to the area of parameter selection where preprocessing should be at once logical. The performance of clustering algorithms often depends on the selection of appropriate parameters. One has to know their dataset well to get it right as scalability may prove problematic. Network traffic volumes continue to grow, and clustering algorithms must be scalable to handle large datasets efficiently in the pursuit of accuracy as the presence of outliers in network data can degrade the accuracy if not dealt with in the tuning stages.</p>
   <p>To address the challenges and limitations of traditional clustering algorithms, researchers have explored ensemble approaches that combine clustering with anomaly detection, machine learning, and deep learning. Additionally, future research directions include areas of importance such as real-time detection, by developing clustering algorithms that can detect DDoS attacks on the quick to minimize damage. Adaptive clustering points to changing network conditions and evolving attack patterns. Further integration with network security systems is also a wider aim of clustering ensemble algorithms via existing network security systems to enhance their effectiveness. To this, leveraging cloud-based solutions is of interest. Cloud computing platforms scale clustering algorithms and improve their performance.</p>
   <p>In the realm of DDoS Detection and severity, various machine learning models have been employed to achieve accurate results. For instance, adopting the feature selection technique with SVM classifier for early detection, and their results were compared with random forest (RF), naive Bayes (NB), decision tree (DT), and KNN classification models.</p>
   <p>In early detection of diabetes disease Aminah et al., used k-nearest neighbor (KNN) classifier model was used and the result was compared with that of the support vector machine (SVM) model achieving 85.6% accuracy. The results comparison was made with another machine learning classifier called SVM to authenticate the work.</p>
   <p>By further combining PySpark’s big data capabilities with advanced ensemble clustering, data scientists and analysts can perform precise analysis on massive datasets in a scalable and efficient manner that speak with accuracy. This unlocks insights that may not be possible with traditional single-machine implementations.</p>
   <p>In another study, algorithms were implemented on PySpark to focus on the details and performance of algorithms on different distributed system setups for estimating future demand and sales. Insightful information for strategic decision-making, resource allocation, and inventory control which cordons anomalies for tabular view. In utilizing the selected machine learning algorithms for constructing a graphic illustration with the help of MatPlotlib enables a bespoke approach to visualizing systems that better fit the company/institution/streamer in the protection against malware. PySpark is used for its “scalability, parallel processing … and seamless integration with … MLlib [as] a powerful machine learning library … offering a comprehensive set of scalable and distributed algorithms that enable efficient processing and analysis of large datasets” <xref ref-type="bibr" rid="scirp.138554-18">
     [18]
    </xref>. and gain insight into solutions to fit the changing shifts in the technological climate.</p>
  </sec><sec id="s4">
   <title>
    <xref ref-type="bibr" rid="scirp.138554-"></xref>4. Preprocessing and Collection: Methodology and Visualizations</title>
   <p>Machine learning/AL algorithms used for model development.</p>
   <p>Data Collection</p>
   <p>The challenge is the volume and the veracity due to missing values and null values and other customizations. The dataset is about 600 mb and comprises of much schema. Here one installs the latest release of Pyspark in Google Colab and run it. It is important to consider spark as an interface between dataframe, caching mechanism and structuring data.</p>
   <p>As you can see below checking memory is very important when using big data before we connect to Google Drive and upload the DDoS Dataset</p>
   <p>Code 1.</p>
   <p>!df -h</p>
   <p>from google.colab import drive</p>
   <p>drive.mount('/content/drive')</p>
   <p>!cat /proc/meminfo</p>
   <p>!pip3 install pyspark</p>
   <p>#To check the available memory</p>
   <p>!free – h</p>
   <p>#To check the available cores</p>
   <p>! nproc</p>
   <p>#Linking with Spark</p>
   <p>#connect to google drive for dataset</p>
   <p>from google.colab import drive</p>
   <p>drive.mount('/content/drive')</p>
   <p>(dataframe)</p>
   <p>df = spark.read.format('csv').load("/content/drive/MyDrive/Amin's dataset.csv", inferSchema = True, header = True)</p>
   <p>Preprocessing</p>
   <p>Moving data to disc and sending data over to memory is going to reduce performance but this problem occurs primarily with big datasets so we need have to be very careful about compression in order to reduce data. Initializing Spark shows the degree of memory in cores so one knows what we’re dealing with in terms of processing. In format you have to explicate what data we are reading which is a csv file in this situation.</p>
   <p>Once our data is uploaded.</p>
   <p>Code 2.</p>
   <p>Code continued:</p>
   <p>df.rdd.getNumPartitions()</p>
   <p>spark.conf.set('spark.sql.files.maxPartitionBytes', 128 * 1024 * 1024)</p>
   <p>Data Source Input Split.</p>
   <p>Default Partition size (128MB, text, csv, json, parquet)</p>
   <p>Resource Allocation</p>
   <p>Data Locality</p>
   <p>Non-file based data (NonSQL, Amazon kinesis, Amazon DynamoDB, Google Bigtable, Amazon S3, Google Cload, Neoj4, Amazon Redshift): predicates or column-based partitioning.</p>
   <p>Custom Partitioning</p>
   <p>#Increase the number of partitions</p>
   <p>df2 = df.repartition(6)</p>
   <p>df2.rdd.getNumPartitions()</p>
   <p>6</p>
   <p>df3 = df.repartition('Bwd Pkt Len Min')</p>
   <p>df3.rdd.getNumPartitions()</p>
   <p>Looking at the data we can see we have null values and data that has zero efficacy to the aim of finding patterns that allude to particularities. (see <xref ref-type="fig" rid="fig1">
     Figure 1
    </xref>) In order to process this data, we need to get the number of partitions. Ideally, each partition should be roughly 128 megabytes but might not evenly distribute data. PySpark has different sized partitioned files depending on format, but one can precondition partition size which was not necessary here because Spark took best route.</p>
   <fig id="fig1" position="float">
    <label>Figure 1</label>
    <caption>
     <title>Figure 1. PySpark organised dataset.</title>
    </caption>
    <graphic mimetype="image" position="float" xlink:type="simple" xlink:href="https://html.scirp.org/file/1732917-rId15.jpeg?20241230023359" />
   </fig>
   <p>Feature Extraction</p>
   <p>Code 3.</p>
   <p>Here we have partitions that need to decrease because there are so many. One re-creates data frame to 10 partitions. Compiling information to less partition’s shuffles data based on columns which ultimately finalise with label which is binary, and after preprocessing will augment the data into benign and brute force traffic.</p>
   <p>Repartitioning by Range will evenly distribute data across the column by the column Flow Duration as that is the dependant variable to measure packet influx shown in the example below which is important because attack traffic is proven to disseminate mass traffic by flow time</p>
   <p>df6 = df.repartitionByRange(10,'Flow Duration')</p>
   <p>df6.rdd.getNumPartitions()</p>
   <p>#Get rid of all 'benign' data, but keep HTP Bruteforce due to its relevance to actual attacks</p>
   <p>df6.write.option('header', T</p>
   <p>rue)</p>
   <p>.partitionBy("Label")</p>
   <p>.mode("overwrite")</p>
   <p>.csv("Label_df6")</p>
   <p>df5.write.option('header', True)</p>
   <p>.partitionBy("Label")</p>
   <p>.mode("overwrite")</p>
   <p>.csv("Label_df5")</p>
   <p>df4.write.option('header', True) ........</p>
   <p>This element was returned to regularly and recalibrated to be correct. Dimensionality Reduction exists in multimodal types like flat mixed with integer and float and must be orchestrated properly to reduce the number of features in the DDoS dataset’ while retaining as much of the important information as possible.</p>
   <p>df3.write.option('header', True)</p>
   <p>.partitionBy("Label")</p>
   <p>………….</p>
   <p>df3.select("Flow Duration","Fwd Pkts/s").</p>
   <p>+-------------+---------------+</p>
   <p>|Flow Duration| Fwd Pkts/s|</p>
   <p>+-------------+---------------+</p>
   <p>| 798|1253.1328320802|</p>
   <p>Getting more familiar with data is inherent.</p>
   <p>Flow Packets Rate is the number of packets transferred per second.</p>
   <p>Creating the Conditions</p>
   <p>The aim is to repartition organized data by the Label column to structure the entire data into two segments showing benign and brute force traffic character. Repartition over Label Column. It is important to have a healthy number partitions based on Label column so column size is correlative diversity. In other words, if its structured as non-binary – for example by using Flow Duration - then it will produce too many potentially unorganized values. Additionally, every null value is kept is a corresponding number co-exists within the row.</p>
   <p>Continue to tune</p>
   <p>df3.filter((df3["Flow Duration"] &gt; 1000)). show(10)</p>
   <p>df3.filter((df3["Flow Duration"] &gt; 10000)).</p>
   <p>MEAN appropriation</p>
   <p>from pyspark.sql.functions import mean, sum, round, col #import col function</p>
   <p>df4.groupBy('Label').agg(</p>
   <p>round(mean('Flow Duration'), 2).alias("mean_Flow Duration"),</p>
   <p>sum('Flow Duration').alias("sum_Flow Duration"),</p>
   <p>).show(10)</p>
   <p>#SORT</p>
   <p>df3.sort(col('Pkt Len Max'), col('Flow Pkts/s'), ascending = False).show(10)</p>
   <p>AGGREGATE AVERAGE OF FLOW DURATION</p>
   <p>+--------------+------------------+-----------------+</p>
   <p>| Label|mean_Flow Duration|sum_Flow Duration|</p>
   <p>+--------------+------------------+-----------------+</p>
   <p>|SSH-Bruteforce| 183349.68| 34394383592|</p>
   <p>| Benign| 9773470.56| 6525023054919|</p>
   <p>|FTP-BruteForce| 3.8| 735386|</p>
   <p>+--------------+------------------+-----------------+</p>
   <p>from pyspark.sql.functions import col,count, when</p>
   <p>missing_values = df3.select([count(when(col(c).isNull(), c)).alias(c) for c in df3.columns])</p>
   <p>missing_values.show(10)</p>
   <p>……..</p>
   <p>SETTING PARAMETERS (see <xref ref-type="fig" rid="fig2">
     Figure 2
    </xref>)</p>
   <p>df_copy = df3.select("*")</p>
   <p>df_filled = df_copy.fillna(subset=['Flow Duration'], value= 10000)#Fill NaNs in 'Flow Duration' with 10000</p>
   <p>df_filled.show(40)</p>
   <p>Min","Bwd URG Flags……….</p>
   <fig id="fig2" position="float">
    <label>Figure 2</label>
    <caption>
     <title>Figure 2. Flow duration.</title>
    </caption>
    <graphic mimetype="image" position="float" xlink:type="simple" xlink:href="https://html.scirp.org/file/1732917-rId16.jpeg?20241230023359" />
   </fig>
   <p>Change values to Integer</p>
   <p>from pyspark.sql.functions import collect_list</p>
   <p># Select columns with float data type</p>
   <p>float_cols = [f.name for f in df.schema if f.dataType.typeName() == 'float']</p>
   <p>SUCCESS! FILE EXISTS - PROCEED WITH ANALYSIS.</p>
   <p>import pandas as pd</p>
   <p>from sklearn.cluster import KMeans</p>
   <p>RUNNING K-MEANS CLUSTERING ALGORITHM TO NEW DATASET.</p>
   <p># Define the features you want to use for clustering</p>
   <p>features = ["Flow Duration", "Flow Pkts/s", "Fwd Pkts/s", "Label"]</p>
   <p># Standardize features(important for K-Means)</p>
   <p>scaler = StandardScaler()</p>
   <p>Dimensionality Reduction:</p>
   <p># Convert selected features to numeric, handling non-numeric values</p>
   <p># Coerce errors to NaN and fill with 0</p>
   <p># Use PySpark's to_numeric function to convert columns to numeric type</p>
   <p>for feature in features:</p>
   <p>df3 = df3.withColumn(feature, F.col(feature).cast("double"))</p>
   <p>#Fill null values with o</p>
   <p>df3 = df3.fillna(0, subset=features)</p>
   <p>#Handle infinite values with Nans before scaling</p>
   <p>………</p>
   <p>scaled_features = scaler.fit_transform(df3_pandas[features])</p>
   <p># Apply KMeans Clustering</p>
   <p>kmeans = KMeans(n_clusters=3, random_state=42)</p>
   <p>kmeans.fit(scaled_features)</p>
   <p># Add cluster label to original data</p>
   <p># Assign the result of kmeans.labels_to a new column in df3</p>
   <p>df3_pandas['Cluster'] = kmeans.labels_ # Add cluster labels to the Pandas DataFrame</p>
   <p>super()._check_params_vs_input(X, default_n_init=10)</p>
   <p>Flow Duration Flow Pkts/s Fwd Pkts/s Label</p>
   <p>Cluster</p>
   <p>0 9.770899e+06 5.644587e+04 28917.946975 0.0</p>
   <p>1 1.562041e+00 1.451033e+06 769551.414899 0.0</p>
   <p>2 -7.100713e+11 -3.485627e-04 0.000000 0.0</p>
   <p>VISUALIZATION</p>
   <p>!pip install matplotlib</p>
   <p>import matplotlib.pyplot as plt</p>
   <p># df_3pandas is your Pandas Dataframe with cluster labels</p>
   <p>plt.figure(figsize=(8, 6))</p>
   <p>plt.scatter(df3_pandas['Flow Duration'], df3_pandas['Label'], c=df3_pandas['Cluster'], …….</p>
   <p>plt.show()</p>
   <p>Analyse clusters</p>
   <p>Results show variance problems.</p>
   <p>CREATING SCATTERPLOT</p>
   <p>!pip install seaborn</p>
   <p>import seaborn as sns # Added this line import the seaborn library</p>
   <p># Install necessary libraries</p>
   <p>!pip install scikit-learn</p>
   <p># Import necessary libraries</p>
   <p>import pandas as pd</p>
   <p>from sklearn.model_selection import train_test_split</p>
   <p>Implementations of the KNN</p>
   <p>Requirement already satisfied: threadpoolctl&gt;=2.0.0 in /usr/local/lib/python3.10/dist-packages (from scikit-learn) (3.5.0)</p>
   <p>Accuracy: 0.9995994564051213:</p>
   <p>Accuracy refers to how often the model correctly predicts the class label for a given input. Here the intermix of K-Means to reorganise and then KNN model discriminating a prediction of the right label for 99 out of 100 examples means accuracy is 99%.</p>
   <p>Formula: Accuracy=Number of Correct PredictionsTotal Number of Predictions×100text{Accuracy} = frac{text{Number of Correct Predictions}}{text{Total Number of Predictions}} times 100Accuracy=Total Number of PredictionsNumber of Correct Predictions ×100</p>
   <p># Load the dataframe</p>
   <p>df = pd.read_csv('Label_df3.csv')</p>
   <p># Select features and target variable</p>
   <p>features = ['Flow Duration', 'Flow IAT Max', 'Init Fwd Win Byts']</p>
   <p>target = 'Label'</p>
   <p>X = df[features]</p>
   <p>y = df[target]</p>
   <p># split data into training and testing sets</p>
   <p>X_train, X_test, y_train, y_test = train_test_split(</p>
   <p>X, y, test_size=0.2, random_state=42</p>
   <p># Scale the features using StandardScaler</p>
   <p>scaler = StandardScaler()</p>
   <p>X_train = scaler.fit_transform(X_train)</p>
   <p>X_test = scaler.transform(X_test)</p>
   <p># Initialize the KNN classifier</p>
   <p>knn = KNeighborsClassifier()</p>
   <p>knn.fit(X_train, y_train)</p>
   <p># Make predictions on the testing set</p>
   <p>y_pred = knn.predict(X_test)</p>
   <p># Create a scatter plot</p>
   <p># Select two features for visualization</p>
   <p>feature1 = 'Flow Duration'</p>
   <p>feature2 = 'Flow IAT Max'</p>
   <p>Clearly the Data only shows characteristics of Benign Traffic, a testimony to accuracy of ensemble methods. The scatterplot allows for a clear spatial representation of data points, which is crucial for understanding KNN’s distance-based approach. (see <xref ref-type="fig" rid="fig3">
     Figure 3
    </xref>) Each point on the plot represents a data instance, with its position determined by feature values. The dense areas can indicate vulnerable times of the attack traffic due to large scope for opportunity, but it is the desired aim to visualize the brute force traffic if one is interested in Malware.</p>
   <fig id="fig3" position="float">
    <label>Figure 3</label>
    <caption>
     <title>Figure 3. Scatter plot of KNN predictions.</title>
    </caption>
    <graphic mimetype="image" position="float" xlink:type="simple" xlink:href="https://html.scirp.org/file/1732917-rId17.jpeg?20241230023359" />
   </fig>
  </sec><sec id="s5">
   <title>
    <xref ref-type="bibr" rid="scirp.138554-"></xref>5. ML/AI Model Development</title>
   <p>A KNN Clustering Model will act through its ability to cross-validate data. The K-Means clustering alone as shown above can fall short of certain datapoints due to the computational intensitivity it might pose. This is because it searches for its nearest neighbour but can be compromised by outliers unlike the KNN which more easily learns from patterns and is used by streaming giants Facebook and Spotify <xref ref-type="bibr" rid="scirp.138554-12">
     [12]
    </xref>. By adding an extension to the algorithm. The results will be developed according to the best accuracy gleaned preprocessed data from multiple sources and provide a baseline guidance in creating software through Ml algorithms.</p>
   <p>The key of the algorithm is to select the best K, that is the best neighbours to obtain the best prediction. For example, a low k produces variance that is higher as shown above, whereas a high k can produce more biased outcomes. Finding the best k is only possible through testing the effect of different values to enhance cross-validation.</p>
   <p>To design a Brute Force Alert Software, it is important to understand the nature of attacks.</p>
   <p>A brute force attack is a trial and error expedition with the aim of guessing passwords or encryption keys by strategically trying every possible combination. To design an effective alert system, one needs to understand common indicators of such attacks.</p>
   <p>Key Indicators of Brute Force Attacks:</p>
   <p>Abnormal login attempts or an anomolized spike in failed login attempts from a single IP address or multiple IP addresses in a short period; unusual access patterns; attempts to log in using common passwords and strange login times. Slow system performance and attendant significant decrease in the said system performance arise due to excessive login attempts. Network congestion from increased network traffic from specific IP addresses is another indicator.</p>
   <p>Design Considerations for a Brute Force Alert Software</p>
   <p>Real-time monitoring means that the software would continuously monitor system logs and network traffic for suspicious activity. Threshold-based alerts will ensure this and can be set within the categories of as an example - greater than 10,000 pkts/s per - highlighted in the coding subsection of this experiment. Set thresholds for failed login attempts, abnormal access patterns, or network congestion are also sub-features of importance in system design. When these thresholds are exceeded, the software should trigger an alert. IP address tracking should be kept track of. IP addresses that have attempted multiple failed logins are a cause for alert.</p>
   <p>Alert System Algorithm:</p>
   <p>1) Collect data through continuously monitor system logs and network traffic for login attempts.</p>
   <p>2) Analyze data to identify patterns of abnormal login attempts, such as multiple failed attempts from the same IP address or unusual login times.</p>
   <p>3) Compare against thresholds to compare the observed patterns against predefined thresholds.</p>
   <p>4) Trigger alerts if the thresholds are exceeded, send alerts to designated recipients.</p>
   <p>5) Update thresholds to adjust thresholds based on historical data and current security trends.</p>
   <p>
    <xref ref-type="bibr" rid="scirp.138554-"></xref>Evaluation of a proposed System</p>
   <p>Traffic monitoring will implement real-time data collection from DDOS Attacks so naturally the aim would be to set up a system to continuously collect and analyze incoming traffic data. Calculating baseline traffic is of vital importance to establish context. Establishing baseline traffic patterns over a specific time period is gauged according to flow duration and flow.</p>
   <p>An example of a Spike Detection Algorithm based on statistical analysis such as z-score analysis, to detect anomalies in traffic patterns.</p>
   <p>Code:</p>
   <p>python</p>
   <p>def calculate_z_score(current_value, mean, std_dev):</p>
   <p>return (current_value - mean) / std_dev</p>
   <p>Set Deviation Threshold</p>
   <p>Define a threshold for what constitutes a significant deviation (e.g., 3.5 standard deviations).</p>
   <p>python</p>
   <p>DEVIATION_THRESHOLD = 3.5</p>
   <p>Minimum Request Threshold</p>
   <p>Implement Request Count Check</p>
   <p>Add a condition to ensure the spike involves at least 1000 requests.</p>
   <p>MIN_REQUEST_THRESHOLD = 1000</p>
   <p>…… return z_score &gt; DEVIATION_THRESHOLD and (current_requests - mean_requests) &gt;= MIN_REQUEST_THRESHOLD</p>
   <p>Combine the spike detection and minimum threshold check to trigger alerts.</p>
   <p>python</p>
  </sec><sec id="s6">
   <title>
    <xref ref-type="bibr" rid="scirp.138554-"></xref>6. Experimental Results</title>
   <p>Clustering algorithms are unsupervised machine learning techniques that group similar data points together based on predefined distance metrics. These algorithms are particularly useful for identifying patterns and anomalies within large datasets proving themselves by assisting the accrual of 99% accuracy in this study.</p>
   <p>K-means clustering is one of the most widely used clustering algorithms which partitions data into K clusters by minimizing the sum of squared distances between data points and their respective cluster centers. Spectral clustering leverages the “eigenvalues and eigenvectors” <xref ref-type="bibr" rid="scirp.138554-11">
     [11]
    </xref> of a similarity matrix to partition data into clusters.</p>
   <p>As shown in the scatterplot, Anomaly detection is demonstrated in the density of the clusters and detect deviations that likely indicate anomalous of benign and malicious traffic activity, such as problematic DDoS attacks. The traffic classification ability shows the collection of density which lead to conclusions of prominent traffic.</p>
   <p>The data shows network traffic data with features: “Flow Duration”, “Pkt Len Max”, “Label”, “Flow Pkts/s” and indicate the parameters of malicious traffic compared to null values across the Excel charts. The code performs various operations on this data, including data loading and exploration by loading data from a reduced DDoS CSV file, showing its schema, and calculating basic statistics. The algorithm cleans by handling missing values by dropping rows or filling them with constant values. Data reduction is enacted by removing irrelevant columns to simplify the dataset. Data transformation is imparted through the conversion of data types, aggregating data, and sorting it.</p>
   <p>The K-Means Clustering algorithm groups similar data points. Classification and training as explained was further enacted by a K-Nearest Neighbors (KNN) model to predict the “Label” column outcomes as it pivoted the entire dataset and instructed features. Visualization allows us to see clusters and to thereby create model predictions for system updates.</p>
   <p>
    <xref ref-type="bibr" rid="scirp.138554-"></xref>The model stands at 99% percent accuracy after the implementation of the second algorithm: the KNN after the K-means to hone the centroids by virtue of reaching a cross-validated accuracy of 0.99. As expected, the algorithm has reached an almost perfect classification when the code was augmented to equalize the scales and take away correlations between features.</p>
  </sec><sec id="s7">
   <title>
    <xref ref-type="bibr" rid="scirp.138554-"></xref>7. Conclusions</title>
   <p>By selecting features from big diversity data for low-dimensional data frames that focus on idiosyncrasies to answer a common research question like how do we achieve the most accuracy? The use of dual clustering algorithms at the time of writing is better. While clustering algorithms offer promising solutions for DDoS attack detection, they also face several challenges and limitations. These issues may fall within the component of parameter selection whereby the performance of clustering algorithms often depends on the selection of appropriate parameters that are meaningful to the character of the attack or received by the server. The number of clusters in K-means or the density threshold selection in the preprocessing phase is key to prearranging the K-Means for the extremely high-level of the KNN. This means removing null values, exploring outliers and removing columns that seek to serve little purpose. Basically, the prepping of the dataset, using K-Means before applying the KNN, was crucial to my best knowledge. PySpark pre-empts the detection of outliers, making them more easily achievable to accrue understanding from the get-go before applying the clustering algorithms.</p>
   <p>Outliers unhinge the results of the K-Means, upsetting the balance of the reduced dataset by having too high variance and producing results that were skewed at the beginning of this study, which emphasizes the importance of mitigating centroid retardation through the omittance of columns that are not entirely useful thus reharmonizing the table in the tuning stage. Furthermore, the addition of the KNN at this point spoke more precisely with the pre-arranged data, providing valid results of top-level accuracy, reducing variance, and re-harmonizing the vectors in order to statistically find the averages of all relevant vectors.</p>
   <p>Evolving attack patterns can be seen using this method to a very high rate of accuracy as long as features are selected with knowledge of a correlation as being dependent on one another. In this regard, the “Flow Duration” column to “Forward Packets” and others were centered before splitting the data by the label column to produce a clearer illustration of traffic differentiation, benign or malicious.</p>
   <p>Ultimately, the intermix of K-Means to reorganise before the implementation of the KNN model discriminates to a precise prediction when using the right labels in preprocessing for 99 out of 100 examples means accuracy is 99%.</p>
  </sec>
 </body><back>
  <ref-list>
   <title>References</title>
   <ref id="scirp.138554-ref1">
    <label>1</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     (2024) ML Beginner’s Guide to DDoS Attack Detection Model. Labeller. &gt;https://www.labellerr.com/blog/ddos-attack-detection/ 
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref2">
    <label>2</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Kabanda, R., Byera, B., Emeka, H. and Mohiuddin, K.T. (2023) The History, Trend, Types, and Mitigation of Distributed Denial of Service Attacks. Journal of Information Security, 14, 464-471. &gt;https://doi.org/10.4236/jis.2023.144026
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref3">
    <label>3</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Cloudflare (2024) What Is a DDoS Attack?&gt;https://www.cloudflare.com/en-gb/learning/ddos/what-is-a-ddos-attack/ 
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref4">
    <label>4</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     GeeksforGeeks (2023) K-Means Clustering Using PySpark Python.&gt;https://www.geeksforgeeks.org/k-means-clustering-using-pyspark-python/ 
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref5">
    <label>5</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Ranjan, A. (2024) Leveraging PySpark Pandas to Streamline Big Data Analysis. Medium. &gt;https://blog.devgenius.io/leveraging-pyspark-pandas-to-streamline-big-data-analysis-be4200bad3bf 
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref6">
    <label>6</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     (2023) Unlocking Insights with K-Means Clustering: Applications&amp;Benefits. ENCORD. &gt;https://encord.com/glossary/k-means-clustering/ 
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref7">
    <label>7</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Gavin, L. (2016) Clustering Web Users with Streaming K-Means. &gt;https://www.lewisgavin.co.uk/Machine-Learning-Kmeans/ 
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref8">
    <label>8</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Eva (2024) Pyspark: Applying Kmeans on Different Groups of a Dataframe. Stack Overflow. &gt;https://stackoverflow.com/questions/47224479/pyspark-applying-kmeans-on-different-groups-of-a-dataframe 
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref9">
    <label>9</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Das, S., Venugopal, D. and Shiva, S. (2024) A Holistic Approach for Detecting DDoS Attacks by Using Ensemble Unsupervised Machine Learning. &gt;https://drsaikatdas.com/papers/holistic.pdf 
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref10">
    <label>10</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Saini, P.S., Behal, S. and Bhatia, S. (2020) Detection of DDoS Attacks Using Machine Learning Algorithms. 2020 7th International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, 12-14 March 2020, 16-21. &gt;https://doi.org/10.23919/indiacom49435.2020.9083716
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref11">
    <label>11</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Saravanan, N. and Gayathri, V. (2018) Performance and Classification Evaluation of J48 Algorithm and Kendall’s Based J48 Algorithm (KNJ48). International Journal of Computational Intelligence and Informatics, 7, 188-198. &gt;https://www.periyaruniversity.ac.in/ijcii/issue/marnew/2_mar_18.pdf 
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref12">
    <label>12</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Mueller, J. and Massaron, L. (2021) Machine learning. John Wiley&amp;Sons.
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref13">
    <label>13</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Wu, X., Ma, T., Cao, J., Tian, Y. and Alabdulkarim, A. (2018) A Comparative Study of Clustering Ensemble Algorithms. Computers &amp; Electrical Engineering, 68, 603-615. &gt;https://doi.org/10.1016/j.compeleceng.2018.05.005
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref14">
    <label>14</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     G., D.R. (2020) Real Time Anomaly Detection Techniques Using Pyspark Frame Work. Journal of Artificial Intelligence and Capsule Networks, 2, 20-30. &gt;https://doi.org/10.36548/jaicn.2020.1.003
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref15">
    <label>15</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Kumar, S., Ghosh, J. and Crawford, M.M. (2001) Best-Bases Feature Extraction Algorithms for Classification of Hyperspectral Data. IEEE Transactions on Geoscience and Remote Sensing, 39, 1368-1379. &gt;https://doi.org/10.1109/36.934070
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref16">
    <label>16</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Karami, A. (2015) The Use of Computational Intelligence for Security in Named Data Networking. Master’s Thesis, Universitat Politècnica de Catalunya.&gt;http://hdl.handle.net/2117/95631 
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref17">
    <label>17</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Aamir, M. and Ali Zaidi, S.M. (2021) Clustering Based Semi-Supervised Machine Learning for Ddos Attack Classification. Journal of King Saud University—Computer and Information Sciences, 33, 436-446. &gt;https://doi.org/10.1016/j.jksuci.2019.02.003
    </mixed-citation>
   </ref>
   <ref id="scirp.138554-ref18">
    <label>18</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Harshitha, T., Tanya, S., Jaswanthi, T. and Venugopalan, M. (2024) A Scalable Machine Learning Model for Sales Forecasting Using PySpark. 2024 International Conference on Knowledge Engineering and Communication Systems (ICKECS), Chikkaballapur, 18-19 April 2024, 1-6. &gt;https://doi.org/10.1109/ickecs61492.2024.10616759
    </mixed-citation>
   </ref>
  </ref-list>
 </back>
</article>