This repository contains the code and resources for the research paper "Learning Fast to Detect Slow: A Few-Shot Neural Approach to Slow DoS Attack Detection". The proposed ENE4 (Ensemble Network of feature Extractors for Few-shot learning) framework tackles the challenge of detecting stealthy, low-rate Denial-of-Service (DoS) attacks by integrating supervised and unsupervised learning under data-scarce conditions.
- Few-Shot Learning for Cybersecurity: Capable of detecting underrepresented and evasive Slow DoS attacks with minimal labeled data;
- Hybrid DL Architecture: Combines a pre-trained supervised MLP and a Variational Autoencoder (VAE) to extract both attack-specific and attack-agnostic features;
- Knowledge Transfer: Uses a transfer learning approach to adapt knowledge from frequent attack types to stealthier ones;
- Data Augmentation and Focal Loss: Enhances robustness and handles class imbalance;
- Benchmark-Ready: Evaluated on CIC-IDS2017 and 5G-NIDD datasets, outperforming classical ML baselines under few-shot constraints.
- ene4/:
- main_ene4.py: Main script for training and evaluating the ENE4 framework;
- vae_module.py: Contains the implementation of the Variational Autoencoder used for unsupervised feature extraction;
- mlp_module.py: Pre-trained supervised MLP for attack-oriented feature extraction;
- classifier_head.py: Combines features and performs final classification;
- data_utils.py: Utilities for loading, preprocessing, and augmenting datasets.
- Python (3.10+)
- PyTorch (2.2.1)
- NumPy (1.26.4)
- Scikit-learn (1.4.1.post1)
- pandas (2.2+)
- tqdm (4.66+)
@InProceedings{10.1007/978-3-032-05461-6_23,
author="Scala, Francesco
and Guarascio, Massimo
and Parrotta, Carlo
and Pontieri, Luigi",
editor="D{\v{z}}eroski, Sa{\v{s}}o
and Levati{\'{c}}, Jurica
and Pio, Gianvito
and Simidjievski, Nikola",
title="Learning Fast to Detect Slow: A Few-Shot Neural Approach to Slow DoS Attack Detection",
booktitle="Discovery Science",
year="2025",
publisher="Springer Nature Switzerland",
address="Cham",
pages="347--362",
abstract="The increasing frequency and sophistication of Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, pose significant challenges to modern cybersecurity systems. These threats are further complicated by stealthy variants such as slow DoS attacks, which often evade timely detection. While Deep Learning (DL)-based Intrusion Detection Systems (IDSs) have shown promise in analyzing complex network traffic, their effectiveness is hindered by challenges like limited labeled data, noise, and the presence of Out-of-Distribution (OOD) samples. This paper proposes a hybrid DL-based IDS framework (ENE4) that integrates unsupervised and supervised components to improve detection performance under label-scarce conditions. The unsupervised module extracts task-independent features from network traffic, while the supervised one learns task-specific representations. These complementary features are fused to enable robust detection even in few-shot learning settings. Additionally, the model incorporates an adaptation mechanism to leverage knowledge from more frequent and related attack types, enhancing generalization to rare patterns. Experimental results on two standard benchmark datasets demonstrate the effectiveness and robustness of the proposed approach in detecting evasive DoS attacks.",
isbn="978-3-032-05461-6"
}
This work was supported by the EU-funded projects FAIR (PE00000013) and SERICS (PE00000014) under the NextGeneration EU and NRRP MUR programs.