The experiment uses a small, realistic cloud-native stack that keeps the data path simple and the signals close to the perimeter. The target application is OWASP Juice Shop on Amazon ECS. Incoming requests terminate at Amazon CloudFront and are then forwarded to an Application Load Balancer (ALB), which distributes them across ECS tasks. CloudFront serves as the public entry point, caching static assets and shielding the origin from direct Internet exposure [ 18 ]. AWS Web Application Firewall (WAF) is attached at the CloudFront layer as the enforcement plane; rate-based and challenge actions are available but are not used for model training. In this methodology WAF remains a control surface for validation and audit rather than a data source for learning [ 19 ]. The overall setup and data flows are summarized in Figure 1: requests flow Clients → Amazon CloudFront (AWS WAF Web ACL attached) → Application Load Balancer (ALB) → ECS service; logging sends CloudFront access logs → S3 (training input; minute-level features: RPS, unique IPs, 4xx/5xx), while ALB/WAF logs → S3/CloudWatch for audit/enforcement only (not used for training); the detector’s operating threshold is frozen on a disjoint validation slice (A+B). An accompanying public artifact repository is available [ 20 ].

Observability is configured to privilege signals available at the CDN perimeter. CloudFront standard access logs are enabled and delivered to Amazon S3 in structured form, exposing fields required to derive minute-level aggregates such as request rate (RPS), unique client IP count, and 4xx/5xx response totals [ 21 ]. ALB access logs are likewise written to S3 and support operational checks on latency and status codes; they are explicitly excluded from the training feature set to preserve the CloudFront-only learning assumption [ 22 ]. WAF logging is activated and streamed to S3 via Amazon Kinesis Data Firehose. These records capture rule evaluations and enforcement actions and are retained for auditability, avoiding leakage from control decisions into learning targets [ 23–28 ]. All logs are stored in a dedicated S3 bucket with a clear prefix for CloudFront records, which facilitates deterministic dataset assembly and later inspection.

The architecture is modular. Each component—CloudFront distribution, WAF web ACL, ALB, and ECS service—can be scaled or replaced without altering the logging pipeline. The evaluation relies only on edge-observable features aggregated at one-minute cadence: RPS, unique IP count, 4xx/5xx counts, and a raw row count used as a coverage indicator. This design keeps the classifier transparent, reduces dependence on application-internal signals, and matches constraints typical of availability-critical systems. In practice, the setup mirrors a common production topology while remaining small enough to support rigorous and reproducible experiments.

To facilitate a comprehensive training and evaluation process, four distinct, methodologically clean traffic scenarios were generated. All scenarios targeted the same CloudFront-ALB-ECS stack hosting the OWASP Juice Shop application. The design of these scenarios was crucial for creating a robust training set and for rigorously evaluating the final classifier’s sensitivity, stability, and generalization capabilities.

A: Benign Background. This scenario provides a baseline of normal, low-intensity user activity. The traffic profile was intentionally kept stable and at a low volume (RPS consistently below 150) to create an unambiguous representation of a system under normal operating conditions. All data points generated in this scenario were labeled as benign (label = 0).

B: Known DDoS Attack. This scenario emulates a concentrated, application-layer DDoS attack, intended to be part of the training data. It consists of a scripted ramp-peak-cooldown sequence, characterized by a high volume of requests originating from a limited number of IP addresses. This low-diversity, high-volume pattern is a classic indicator of a denial-of-service attack. Data points within the core attack window were labeled as malicious (label = 1).

C: Benign Flash Crowd. This scenario models a legitimate, high-volume traffic surge, such as from a successful marketing campaign. Crucially, the traffic was generated from a diverse pool of source IP addresses, simulating a large number of unique users. The profile included a rapid rampup, a sustained high-volume peak (RPS > 400), and a gradual cooldown. Despite the high request rate, all data points in this scenario were labeled as benign (label = 0), serving as a critical example of “good” high-volume traffic for the training set. D: Unseen DDoS Attack. This scenario was created to serve as a held-out test set for evaluating the model’s generalization capabilities. While similar in structure to the “Known DDoS Attack” (B), it was generated using different parameters, request patterns, and source IP addresses. The model was never exposed to this data during training or validation, making it a true “blind” test of the classifier’s ability to identify a novel threat. As with scenario B, data points within the core attack window were labeled as malicious (label = 1).

The dataset was constructed strictly from Amazon CloudFront standard access logs. Per-request records were processed to generate minute-level feature tables, while logs from other services like Application Load Balancer were excluded to prevent data leakage. The feature engineering process was intentionally kept minimal, focusing on a compact vector of edge-available signals: request rate (RPS), unique client IP count (cf_uniq_ip), and response error counts.

To ensure model robustness, a comprehensive TRAIN set was created. Preliminary experiments showed that a model trained naively on only background and attack data failed to generalize to legitimate traffic surges. The final training set therefore incorporates examples from three distinct scenarios: the benign background (A), the known DDoS attack (B), and the benign flash crowd (C). This representative dataset was shuffled to prevent the model from learning spurious temporal dependencies and to teach it the structural differences between malicious and legitimate highvolume events. A small, consistent VAL set was used for stable threshold tuning, composed of unambiguous positive samples from the core of attack B and negative samples from background A. The final TEST set was constructed as a continuous timeline concatenating all four scenarios (A → B → C → D), with the unseen DDoS attack (D) serving as a rigorous, held-out evaluation of generalization capability. The composition of these final datasets is summarized in Table 1. The inclusion of the fourth scenario, an unseen DDoS attack (D), served as a rigorous, held-out evaluation of the model's generalization capability on a novel threat.

The primary model is a Random Forest (RF) classifier, chosen for its ability to capture nonlinear interactions between features without requiring extensive tuning. As a baseline for comparison, a linear Logistic Regression (LR) model is also evaluated to determine if a simpler decision boundary is sufficient for this task. Both machine learning models were trained on the comprehensive TRAIN set, which includes diverse examples of benign and malicious traffic. The third model is a nonlearning RPS Threshold comparator, which serves as a simple benchmark to anchor the performance of the ML-based approaches.

To ensure a rigorous and operationally realistic evaluation, the analysis adheres to a strict frozen-threshold protocol. For both the RF and LR classifiers, an optimal operating point was determined by selecting a single decision threshold (τ). This threshold was chosen by maximizing the F1-score on the VAL set, which contains a balanced mix of unambiguous attack and benign samples. Once selected, this threshold was “frozen” and applied without any further adjustments to the final TEST set. This methodology is critical for preventing data leakage from the test distribution and for mirroring production environments where detection policies must be stable, auditable, and are not continuously re-tuned. The evaluation metrics were selected to align with the primary operational goal of maximizing attack detection while strictly controlling for false positives on legitimate traffic. Performance on the VAL set was primarily assessed using precision, recall, and the F1-score. Operating points were selected using precision–recall analysis to align with an FP-dominant utility under class imbalance, while ROC/partial-ROC were also inspected to contextualize PR-based choices [ 26 ]. The final evaluation on the comprehensive TEST timeline focuses on direct, interpretable outcomes: the count of True Positives (TP) achieved during the known (B) and unseen (D) attack scenarios, and the count of False Positives (FP) generated during the benign background (A) and flash crowd (C) scenarios. This provides a clear, quantitative measure of each model's sensitivity and stability.

Evaluation follows a production-style constraint in which false positives during benign surges dominate operational risk. All quantities are computed on one-minute windows, and threshold selection on validation is kept strictly separate from testing to avoid leakage. On the frozen validation split, a scalar operating threshold τ is chosen at the F1 maximum. At that operating point, the report includes precision (precision = TP/(TP+FP)), recall—also referred to as the true positive rate (TPR = TP/(TP+FN))—and F1 (F1 = 2·precision·recall/(precision+recall)). Detection delay is measured as the difference, in minutes, between the first alarm and the onset of the contiguous attack core; a delay of zero indicates immediate detection at one-minute cadence. Operating points were selected using precision–recall analysis to align with an FP-dominant utility under class imbalance, while ROC/partial-ROC were also inspected to contextualize PR-based choices [ 26 ]. The flash-crowd stability subset consists exclusively of benign minutes and therefore measures stability rather than sensitivity. With τ frozen from validation, any alarm on test constitutes a false positive; results are summarized by the false-positive rate (FPR = FP/(FP+TN)) and by specificity (specificity = 1 − FPR), and are reported alongside the confusion outcomes (which reduce here to FP and TN because there are no attack-positive minutes by construction). To keep baselines comparable, the plain RPS rule is evaluated under the same discipline: its scalar threshold is selected on validation using the same precision–recall/F1 criterion and then applied unchanged on the flash-crowd test to obtain FPR and specificity. Finally, per-minute alarm traces for all models and baselines are retained so that precision, recall, F1, specificity, and delay can be recomputed and audited on the exact windows used in the study.

The comparative performance of the Random Forest classifier, the Logistic Regression (LR) baseline, and a simple RPS threshold is visualized across the full experimental timeline in Figure 2. The figure plots the RPS profile and overlays markers indicating alarms from each detector, providing a direct visual comparison of their behavior in different traffic regimes.

An analysis of the timeline, quantitatively summarized in Table 2, reveals critical differences in model performance. A primary finding is that both the RF and LR models, after training on the comprehensive dataset, achieved perfect stability. During the Benign Background phase (A) and the Benign Flash Crowd phase (C), neither classifier produced a single false positive, correctly identifying all legitimate traffic.

In the Known Attack phase (B), both machine learning models proved effective. The LR model demonstrated slightly higher sensitivity, detecting 20 out of 21 attack minutes (95% recall). The RF model was also highly effective, identifying 17 out of 21 minutes (81% recall). Both significantly outperformed the simple RPS threshold.

The decisive test of robustness came in the final Unseen Test Data phase (D). Here, the Logistic Regression model completely failed to generalize, detecting 0 out of 13 minutes of the novel attack. In stark contrast, the Random Forest classifier successfully generalized its learning, identifying 9 out of 13 minutes (69% recall) of the new threat. This result highlights the fundamental inability of the linear model to adapt, whereas the nonlinear RF model proved effective against a previously unseen attack pattern.

In summary, the results demonstrate a clear hierarchy of model performance. While both machine learning models learned to be perfectly stable on known benign traffic patterns, only the Random Forest classifier possessed the capacity to generalize its knowledge to effectively identify a novel, unseen threat. The complete failure of the Logistic Regression model on the unseen test data underscores the limitations of linear models for complex security tasks. These findings strongly suggest that a combination of a representative training dataset and a nonlinear model architecture is essential for building a truly robust DDoS detection system.

Benign stability (FP=0 on A+C) after widening TRAIN shows that flash crowds share marginal signatures with attacks (elevated RPS, burstiness) yet differ in joint structure (client-IP diversity, error mix). Exposing those legitimate surges during training teaches safe regions that an attackonly curriculum cannot provide [ 6 ]. LR’s collapse on D follows from its single linear boundary: with one-minute aggregates (RPS, unique clients, coarse 4xx/5xx), separability is interactiondrive —e.g., high RPS with low diversity and altered errors (attack core) versus high RPS with high diversity and stable errors (flash crowd). RF’s piecewise partitions capture such interactions, preserving FP=0 while retaining partial sensitivity to novel morphology [ 29, 30 ].

Learning was restricted to CloudFront-only signals—minute-level RPS, unique clients, and 4xx/5xx counts—while ALB and WAF telemetry was reserved for audit and enforcement [ 21–23 ]. This kept the pipeline portable and reproducible yet still discriminative once weak interactions were modeled by RF. A univariate RPS rule remained easy to audit but could not exploit cross-feature corroboration, forcing a trade-off between flash-crowd safety and recall. For parity, the RPS threshold was also selected and frozen on the disjoint validation slice using the same precision– recall criterion [ 28 ]. The minimal-features, frozen-threshold discipline aligns with guidance on traceability and auditability for AI-enabled controls [ 31 ].

Both hypotheses are supported. A CloudFront-only classifier outperformed a plain RPS threshold on recall without violating a strict FP budget on the flash crowd, and a nonlinear learner proved more robust than a linear separator under the same frozen-threshold protocol. RF exceeded the RPS baseline on B and retained partial sensitivity on D, where LR failed completely—consistent with recent evidence on the strength of tree/ensemble methods for tabular data [ 29, 30 ]. PR-based operating-point selection reflects an FP-dominant utility under class imbalance [ 28 ].

Internal validity. Scenarios used a single-domain topology, one-minute aggregation, and bounded IP diversity. These choices prioritize label clarity and reproducibility but may narrow withinscenario variance. A single, small validation slice, even when disjoint from test, can overstate separation if its boundary is unusually clean; fixing the operating point before test mitigates but does not eliminate this risk [ 24 ].

External validity. The CloudFront→ALB stack is laboratory-bound and may not capture multi-origin, multi-region routing or broader adversary tactics. Evolving protocol-level stressors such as HTTP/2 Rapid Reset (CVE-2023-44487) challenge control paths in ways not exercised here [ 33 ]. Benign regimes beyond the single flash-crowd morphology (e.g., geo-distributed campaigns, device heterogeneity, cache-behavior variation) remain to be tested [ 6, 18 ]. Construct validity. Metrics are minute-level and edge-visible by design; they do not capture connection-churn micro-bursts or user-experience proxies beyond specificity. Precision–recall alignment is appropriate for FP-dominant, class-imbalanced protection, but alternative utility weightings (e.g., explicit FP/FN costs) could shift the chosen threshold [ 23 ]. Feature importance in ensembles is associational; ablation or counterfactual analyses would be required for stronger attribution [ 30 ].

Conclusion validity. The superiority of nonlinear capacity under distribution shift is shown at the pattern level; repeated trials with seed variation and bootstrap intervals would quantify uncertainty on TP/TN counts and specificity.

Operationalize with a conservative WAF control loop: score each minute; raise an alarm only after K consecutive exceedances; start with CHALLENGE/CAPTCHA or temporary BLOCK as a canary; escalate only if the condition persists; rollback on recovery, with all actions logged for audit [ 16, 33 ]. Strengthen external validity by extending flash-crowd tests to multi-region campaigns, heterogeneous devices, and varied cache behaviors, and by quantifying drift robustness under these conditions [ 18, 21, 22 ]. Enrich the adversary model with contemporary stressors (e.g., HTTP/2 Rapid Reset, path-focused L7 campaigns) while retaining edge-only observability [ 21, 32 ]. Tighten reliability estimates via ablations (seed variation, feature drop-outs), variance analyses of specificity/recall, longitudinal audits of threshold stability, and full experiment documentation with pinned dependencies and change control consistent with secure software development guidance [ 34 ]. Finally, include shallow yet diverse baselines (e.g., calibrated trees or ensembles with monotonic constraints) to map the minimal capacity required for benign-surge stability while keeping the implementation lightweight and auditable [ 29, 30 ].