Evaluating Temporal and Structural Anomaly Detection Paradigms for DDoS Traffic
For practitioners deploying anomaly detection in 5G networks, this work provides a simple diagnostic to choose feature representation, but the hybrid option is not validated.
The paper proposes a lightweight decision framework to select between temporal and structural feature representations for unsupervised DDoS detection in 5G networks. Experiments show structural features consistently match or outperform temporal ones, with the gap widening as temporal dependence weakens.
Unsupervised anomaly detection is widely used to detect Distributed Denial-of-Service (DDoS) attacks in cloud-native 5G networks, yet most studies assume a fixed traffic representation, either temporal or structural, without validating which feature space best matches the data. We propose a lightweight decision framework that prioritizes temporal or structural features before training, using two diagnostics: lag-1 autocorrelation of an aggregated flow signal and PCA cumulative explained variance. When the probes are inconclusive, the framework reserves a hybrid option as a future fallback rather than an empirically validated branch. Experiments on two statistically distinct datasets with Isolation Forest, One-Class SVM, and KMeans show that structural features consistently match or outperform temporal ones, with the performance gap widening as temporal dependence weakens.