Detection of Distributed Denial of Service (DDoS) Attacks in IOT Based Monitoring System of Banking Sector Using Machine Learning Models

Abstract

Cyberattacks can trigger power outages, military equipment problems, and breaches of confidential information, i.e., medical records could be stolen if they get into the wrong hands. Due to the great monetary worth of the data it holds, the banking industry is particularly at risk. As the number of digital footprints of banks grows, so does the attack surface that hackers can exploit. This paper aims to detect distributed denial-of-service (DDOS) attacks on financial organizations using the Banking Dataset. In this research, we have used multiple classification models for the prediction of DDOS attacks. We have added some complexity to the architecture of generic models to enable them to perform well. We have further applied a support vector machine (SVM), K-Nearest Neighbors (KNN) and random forest algorithms (RF). The SVM shows an accuracy of 99.5%, while KNN and RF scored an accuracy of 97.5% and 98.74%, respectively, for the detection of (DDoS) attacks. Upon comparison, it has been concluded that the SVM is more robust as compared to KNN, RF and existing machine learning (ML) and deep learning (DL) approaches.

1. Introduction

An increase in ransomware attacks of 1318 percent in the first half of 2021 was disproportionately felt by the banking sector [1]. New COVID-19 opportunities for threat actors may be behind the 4 percent rise in business email compromise (BEC) attacks [2]. Banks are increasingly vulnerable to large-scale cyberattacks. A financial institution’s solvency could be jeopardized by a cyberattack on another bank because of the banks’ interconnectedness. State-sponsored cyberattacks on U.S. banks are particularly vulnerable [3].

Cybercrime has been steadily increasing over the years as more people use the internet and mobile banking. Types of fraud ranging from credit card scams and spamming to ATM robberies and identity theft are just some examples of cybercrime incidents [4]. Because of the high monetary value of the data it stores, the banking industry is particularly at risk. There are a number of ways that hackers can profit from the stolen financial information and banking credentials. As banks’ digital footprints have grown, so too has the attack surface that could be exploited [5].

Cyberattacks can cause power outages, military equipment malfunctions, and leaks of classified information. They can lead to the theft of sensitive data, such as medical records, which can be extremely valuable. They can disrupt phone and computer networks, causing data to be unavailable, or paralyze systems [6].

As a result of the high value of the data it houses, banking is particularly vulnerable. There are a number of ways that hackers can profit from the stolen financial information and banking credentials. The machine learning models used address the above informative issues. ML/DL model play an important implemented different dataset such as biomedical [7,8,9,10], agriculture [11,12] and specially IoT dataset [13].

The main contributions of this research are as follows:

• This study proposed efficient machine learning model (SVM, KNN, and RF) for the classification of DDOS attacks using Banking Dataset based on their excellent performance. Further, no prior research has ever compared or used these (SVM, KNN, and RF) three approaches of DDoS attacks detection.
• We investigated the training parameters’ influence on the classification accuracy (%), pres (%), recall (%) and F1-score (%) and time complexity (ms).
• To check the evaluation performance of ML models, we compared SVM, KNN, and RF in order to find out the most efficient model. The comparative result indicates that SVM is more robust as compared to KNN, RF and existing machine learning methods (ML/DL).

This research is divided into 5 sections. Section 1 shows the introduction of this study; Section 2 shows the related work. Section 3 shows the methodology of this research, while Section 4 shows the results of this study. At the end, our conclusion has been shown in Section 5.

2. Related Work

Previously, DDoS has been analyzed in many studies; we are detecting here Middlebox DDoS, which is a very severe and new type of DDoS. Its type is an in-network device that serves as a monitor, filter or transformer between two interacting hosts. Network devices, such as routers and switches, can only examine the header of a message and not the content of it, whereas middleboxes use Deep Packet Inspection (DPI) to examine both. Middleboxes have been used for a wide range of network functions, including firewalls, since their introduction. Censoring middleboxes are often installed at the nation’s borders (or within the nation’s ISPs) and are commonly implemented at huge scales to monitor all traffic passing through the censoring nation-state. In unencrypted traffic, DNS requests, or TLS server name indication (SNI) fields, censoring firewalls often identify prohibited keywords or domains that must be blocked. It is possible for a censoring middlebox to block connections in various ways, including by blocking packets, injecting RST packets to break the connection, or by injecting block pages in response to forbidden HTTP requests. Once a middlebox determines a connection should be blocked, it can do so in a variety of ways. When packets are re-ordered or lost, middleboxes often track the content of connections over numerous packets. Middleboxes, on the other hand, may not be able to see packets travelling in both ways. As a result, packets between two end hosts may take distinct routes across the Internet. As a result, a middlebox may only be able to see one end of a TCP connection e.g., (the packets from client to server). Even while middleboxes don’t have access to all the packets in a connection, they can use TCP reassembly techniques to block connections even when they don’t see all of them. Because of the middleboxes’ tolerance to missing packets, attackers have an opening: a reflective attacker may be able to convince the middlebox that the three-way handshake has been completed without really completing it. As a result of the packets they send, middleboxes could be excellent targets for reflected amplification, especially for block pages. After that, we show how middleboxes can be hoodwinked and demonstrate how middleboxes can provide enormous amplification factors.

Chayomchai et al. [14] are looking into how cybercrime has impacted banking institutions and what steps have been taken to counteract those effects. The most recent victims have been banks. Massive malware assaults routinely target Indian banks, resulting in the theft of critical and private information and substantial financial losses. According to this study, the most vulnerable parts of a firm to cyber-attacks should be identified, and a customised cyber-security strategy should be developed to protect them. The research includes secondary data analysis of government websites, papers, and research studies, as well as case studies of previous cyber threats and crimes that have resulted in significant financial losses. To help banks, financial institutions, and the general public better comprehend the cyber regime, this study will be conducted. Poorly supervised models that do not require annotated data to estimate the impact of denial-of-service (DoS) attacks can be developed using Latent Dirichlet Allocation (LDA) and symmetric Kullback-Leibler divergence on tweets. There is a limit in the module that is only loosely supervised. Because fewer non-attack events on Twitter are likely to be mistaken for DoS attacks in the pre-specified detection window, this will become less of a problem. Another alternative is to use an extra classification layer, trained on manually annotated DoS attack tweets, to remove non-attack tweets from the dataset. Weakly-supervised learning approaches can be used to generate models that are precise and generalizable within the same industry [15,16].

Using Alimolaei et al. [16] though smart technology, an online bank customer can be identified if they are behaving abnormally. System designers used the fuzzy theory to take into consideration that users’ activities are accompanied by some degree of uncertainty. The fuzzy expert system’s performance was evaluated using a receiver operating characteristic curve, and the results show a 94% accuracy rate. E-banking security and service quality could benefit from the deployment of this expert system. To begin with, Refs. [17,18] describes the many cyber threats involved with online banking. Additionally, it provides an approach to cyber-banking security that focuses on protecting the borders of the application as well. Peripheral and application security are two different approaches to securing a system’s infrastructure.

E-banking transactions can now be checked for potential fraud using a novel approach developed by Salem et al. [19]. A model with scoring criteria for online real-time transactions and offline historical transactions is combined for the goal of identifying fraud. Large-scale data processing: a framework for this using Kafka, Spark, and MPP Gbase, a method for analyzing large transaction logs is described. The author’s experimental results show that their proposed technique is effective over a large dataset of electronic banking transactions. Future research by the author should fill in these gaps and resolve these difficulties. Cybercrime datasets are investigated and accessible problems are identified by Ref. [17], Ref. [20] using K-Means, Influenced Association Classifier and J48 Prediction Tree. Influenced Association Classification uses a clustering approach called K-Means. K-means classifiers can mine the record and make predictions about cybercrime using the J48 technique, which uses K-means selection to select the initial centroids. Bank cybercrime can be predicted better and more accurately utilizing information obtained via K-Means, Influenced Association Classifier, and J48 Prediction Tree combined. Author’s law enforcement authorities must be well-equipped to combat and prevent cybercrime.

The authors of [18,21,22] described the challenges faced by a number of banks and card-based enterprises. It is necessary to investigate the issue in depth in order to come up with a solution that is both practical and effective. By sharing information, you can help keep a bank safe from cyber-attacks. Avoid allowing too many inquiries from the same source or user session at once [23,24]. The majority of automated attack sources request web pages faster than normal users. It’s important to protect the network and its applications from DDoS attacks. Many DDoS attacks employ network strategies such as spoofing, fragmented packets, or failure to finish TCP handshakes. Attacks at the application level try to use up all of the server’s resources. Anti-malware efforts can be circumvented by detecting abnormal user activity and employing documented application attack signatures. DDoS attacks can be detected by looking for well-known patterns or signatures. HTTP requests that don’t conform to the protocol’s requirements are also common in DDoS attacks. The Slowloris attack is known for its use of repetitive HTTP headers. It is possible for a DDoS client to try to access pages that are not there. Attacks may also be the source of a web server problem or slow response time.

Despite the numerous defense mechanisms in place, the authors of [25,26] have found that bandwidth availability and computer resource security remain problematic. Due to a surge in valid traffic and its resemblance to attack traffic, the DDoS problem became more urgent. According to this study, T-CAD, a distributed attack detection system, can be used on autonomous system routers to identify and mitigate the effects of DDoS attacks. For example, T-CAD can tell the difference between legitimate traffic, DDoS attacks, and flash events using the normalized router entropy. The proposed attack detection system has been proved to function on OMNeT++ and INET in tests so far. The T-CAD DDoS defense system has outperformed many existing thresholds and entropy-based DDoS detection approaches in simulation testing. In the research introduced by [27,28], DDoS attack’s various models, as well as a timeline of defense measures and improvements to counter them, are all reviewed. Using the MapReduce programming architecture, a new DDoS attack detection mechanism has been built. As per the statement of the Internet banking platform, the procedures for authenticating customers differ. Several banks make use of passwords and PINs. Others use TANs and TAN lists to verify and authorize transactions (also known as scratch lists). Users can also be authenticated using one-time passwords or challenge-response systems, which are more complicated. As far as the author is aware, no major bank has successfully adopted public-key certificates for user authentication. The cryptographic strength of the SSL/TLS protocol is often used when advocating for the safety of online banking. Only a few theoretical faults and holes have been found in the SSL/TLS protocol’s security. These investigations are related to the Dolev-Yao threat model. It’s possible for an adversary to control the communication path between a client and server, but the end points of the channel remain secure. This misrepresents the realities of how an attacker might harm a customer.

For online banking fraud prevention, Mehmood and colleagues [29] employ a Hidden Markov Model (HMM). As a result, the bank’s system has developed a one-time password that is sent directly to each customer’s registered cell phone, ensuring that only legal transactions are rejected. Banks are implementing fraud detection and prevention technologies in an effort to avert enormous losses. Cutting-edge fraud technology is being used to detect and stop fraudulent Internet banking transactions from taking place at financial institutions around the world. The issue is that they are unable to efficiently identify and track legitimate users. As a solution, the author recommends using a Hidden Markov Model. To demonstrate the numerous attack methods used by cyber thieves against chosen Indian banks. In the research [30,31] has attempted to demonstrate how spoofing, brute force attacks, buffer overflow and cross-side scripting are all linked to Indian public and private sector banks. Cyber-attacks such as online identity theft [31], hacking [32] and harmful code [31,32]; DOS attack and credit card/ATM frauds [33] are also linked to Intruder Detection, as is System Monitoring.

Blockchain-based DDoS mitigation is a promising and viable approach. It is possible that the intrinsic and essential properties of blockchain, such as decentralization and internal and external trust lessness, immutability, verifiability and anonymity might combat this deadly cyber risk. In several businesses, we think there is no need for citation in such statements looking at how DDoS mitigation using blockchain technology is faring. In this research, we will take a close look at a number of strategies, focusing on their merits, drawbacks, and limits. A unified platform for learning about current strategies will be beneficial to DDoS mitigation research and development.

Collaborative DDoS attack detection methods that take into account the detection performance in different time zones is used to identify DDoS attacks on several networks more accurately. To get at a final conclusion for individual assaults on each of these networks, the detection and false positive rates for each network are weighted according to its time zone. To determine if a DDoS attack has taken place, [22] recommends using weighted detection data. It was found that the proposed technique reduces false positives by 35% while maintaining an extremely high detection rate. Yet to be identified and described are the ideal prerequisites for a protective solution despite this work’s goal of identifying and describing those criteria [34,35]. All HTTP-based DoS and DDoS assaults have been thoroughly examined in this study, which aims to define and describe the ideal criteria for a protective architecture against these attacks in-depth. Several academics have developed various DDoS detection methods based on information theory entropy and divergence measures in the past [24]. Research suggests using a novel LeCam divergence measure based on flow similarity across network traffic flows to detect distinct types of DDoS attacks. Experiments on the datasets provided by MIT Lincoln and CAIDA show that the proposed techniques may be used effectively; according to the findings, the LeCam Divergence metric outperforms the more traditional Kullbeck-Leibler, Bhattacharyya, and Pearson Divergence measures.

DDoS attacks can be classified as either benign traffic or DDoS assault traffic by using a unique architecture that combines a well-posed sparse Auto Encoder (AE) for feature learning with a Deep Neural Network (DNN) for classification [36]. Assault detection is made easier by adjusting the parameters of DNN and AE in a way designed for this goal. To avoid overfitting, the author of this article explains how to reduce reconstruction error, remove gradient inflating or disappearing, and develop a more compact network with fewer nodes [37]. Performance criteria such as detection accuracy, precision, recall, and F1-Score were used to compare the proposed approach to ten current best practices. A series of tests on the CICIDS2017 and NSL-KDD standard datasets have been carried out in order to verify the results. The proposed method outperforms existing methods.

For decades, DDoS attacks have degraded network availability, and no effective security measure has yet been established to combat them. New defenses against DDoS attacks are now possible due to the growth of Software Defined Networking technology. Two methodologies have been developed in [37] to identify DDoS attacks. One technique is to identify the source of a DDoS assault to measure the intensity of the attack. To find the DDoS assault, the K-Nearest Neighbors (KNN) algorithm is developed using Machine Learning (ML). The author’s proposed algorithms outperform those of other researchers in detecting DDoS attacks when tested on real-world datasets. If the system’s security defenses are deceived by someone with valid access to the system, an insider attack is more likely [35]. Anti-DDoS assaults can be prevented by using EDIP (Early Detection and Isolation). EDIP is able to locate an insider among all of the system’s legitimate clients by forwarding it to an attack proxy. As a result, a new algorithm has been developed to increase attack isolation while minimizing disruption to innocent customers. Using the load balancing approach, proxies can avoid being overloaded. Researchers have developed spectral gene set filtering (SGSF), a new method for filtering gene set collections prior to gene set testing in order to overcome the statistical power challenge posed by large gene set collections [4,35,36,37].

An important part of traditional IDS is blacklisting. These approaches are too time-consuming and ineffective for intruders to use. Machine learning and deep learning models have made it possible to automate and configure IDS such that they can be dynamic [37]. As a reminder, the model’s effectiveness is strongly dependent on the training data that was used. There are a number of datasets that are regularly utilized in IDS research. Individual DDoS attack datasets have received very little attention. Huang et al. [37] investigates the feasibility of initiating an IoT-based DDoS attack at a cheap cost. In the first place, a new DDoS attack architecture is proposed. This design is ideal for resource-constrained DDoS attackers due to its negligible management costs, high detectability, and excellent robustness. It is simplified to a variation problem where the objective functional represents the predicted impact of the DDoS attack associated with a DDoS attack method in this architecture and is based on a novel botnet growth model [38]. Finally, the variation problem for three alternative DDoS defense systems has been solved. DDoS assaults based on IoT are now more understood as a result of this study.

3. Materials and Methods

This section describes the dataset, methodology, and performance indicators in depth. Figure 1 represents the proposed work of the research, furthermore, we have used data from an open-source platform (accessed on 2 February 2021) that contains data of Distributed Denial of Service (DDOS) attacks. Data collected from the public source which was raw dataset. We have preprocessed the dataset by using preprocessing techniques. Null values have been removed from datasets and then balancing techniques were applied to scale and balance the dataset. After extracting the best features, we have split the data into 70% training and 30% testing sets. The training set is used to train the ML models and the testing set is used to evaluate the models.

3.1. Dataset Description

3.1.1. Fraud Detection Dataset

The Banking Dataset monitors network intrusions. This dangerous malware also includes DoS.

Table 1. The Bank dataset of features description.

Feature/Attribute	Description	Variable Type
ID	ATM ID	Input Variable
State	State of Railway (Connectivity)	Input Variable
Spkts	Source Packets (Sent to destination)	Input Variable
Dpkts	Destination Packets (Received at destination)	Input Variable
Sbytes	Source Bytes (Sent from Source)	Input Variable
Dbytes	Destination Bytes (Received from Source)	Input Variable
Attack_Cat	Category of an Attack Here we have used DDoS attacks, if the label shows 0, there will be no attack, if label will be 1, there will be DDoS attack.	Output/Target Variable with Nine Classes

and Figure 2 exhibit the dataset attributes and their descriptions.

Figure 2 shows the repartition of services from 4 PCs in a bank. The heat map shows that if the value in the repartition of services from a PC is greater than 0.5, then there is a chance of severe DDoS attack. When the value from a PC is less than 0.5, there will be a lesser chance of an attack. Figure 3 shows the total counts of target class distribution in dataset. DDoS attacks occur 50,000 times in the dataset.

These datasets are used to test the suggested approach. Preprocessed datasets can be used for deep learning. The homogeneity measure (k-means clustering) is an unsupervised approach for choosing important features from both sets of data. Five-fold cross validation can estimate and improve deep learning model performance. We employed three machine learning models to classify attacks. We have split the dataset into 70% training and 30% testing sets. Empirical studies show that the best results are obtained if we use 20–30% of the data for testing, and the remaining 70–80% of the data for training.

3.1.2. Data Preprocessing

The dataset is preprocessed to make it more appropriate for the ML classifier.

(a)

Removal of Socket Information

In order to remove any potential bias in the identifying procedure, IP addresses of both the source and destination must be deleted. Instead of relying solely on data from a single socket, it can rule out hosts with similar packet information by examining packet characteristics.

(b)

Remove White Spaces

Labels with several classes may contain white spaces. Due to the varied labels for the other tuples in this class, it has two classes.

(c)

Label Encoding

Encoding the labels into a numeric form so that they may be read by a computer is called label encoding. As a result, machine learning algorithms can make better decisions about how to use those labels. In supervised learning, it’s a key step in preprocessing the structured dataset.

(d)

Data Normalization

Non normalized data create inefficiencies in the predictions of outcomes, so we have normalized the dataset by using a standard scalar function. After the normalization of the dataset, feature ranking occurs.

(e)

Feature Ranking

Figure 4 presents the feature correlation matrix. Col_0 to Col_111 shows the number of features, because of the large number of characters and strings, we have used the label as col_0 to col_111. We have used k-means clustering in feature ranking of attributes; k-means used the weight of each feature and rank according to the weight and check the relevance of each feature in the outcome:

3.2. Machine Learning Models

Supervised Learning is an algorithm for classifying new observations based on previously learned data. Classification uses a dataset or set of observations to categorise fresh data into one of several categories. We used KNN, SVM, and Random Forests to classify DDOS attacks in the Banking Sector Dataset.

3.2.1. Support Vector Machine

Classification, regression, and outlier detection can all be accomplished with the help of supervised learning techniques known as support vector machines (SVMs). There are numerous benefits to using support vector machines. Useful in high-dimensional environments, even if the number of dimensions exceeds the number of samples, the method is still effective. In this study, we are classifying attacks by using novel architecture of the SVM Classifier. Its general architecture is shown in Figure 5. The input layer contains the vector input signal (x). It is computed between the input signal vector (x) and the support vector (s) in the hidden layer (y). The output neuron sums the linear outputs O of the hidden layer neurons. DDoS attack detection is equivalent to the two-classification problem; we use the SVM algorithm characteristics, collect switch data to extract the characteristic values to train, find the optimal classification hyperplane between the normal data and DDoS attack data, and then use the test data to test our model and get the classification results.

$$O= {\displaystyle \sum }{W}_{i}k\left(x_i{s}_i\right)$$

(1)

3.2.2. Random Forests

Classification and regression tasks can benefit from the use of random forests or random decision forests because they are an ensemble learning method that builds many decision trees at once. However, the accuracy of random forests is lower than that of gradient-boosted trees despite the fact that they outperform the former. In this study, random forests have been used for DDOS attack detection. In this study, we are classifying attacks by using architecture of RF Classifier. Its general architecture is shown in Figure 6. This model has been developed by assembling the logistic regression model into RF Classifier to improve both models’ accuracy. The mathematical model is as follows:

$$y= {{\displaystyle \sum }}_{k=1}^{n}f\left(x\right)$$

(2)

$$\ln \frac{P}{1-P}=a+by$$

(3)

$$\frac{P}{1-P}=e^{a+by}$$

(4)

$$P=\frac{e^{a+by}}{1+e^{a+by}}$$

(5)

Here, P is the probability function of Logistic Regression and y is the output of RF classification model. ${\displaystyle \sum }_{k=1}^{n}f\left(x\right)$ shows the boosting function of the RF Classifier. When RF takes the output of y it will be sent to probability function of logistic regression to check the changes of a class whether it is from 0 or 1.

3.2.3. K-Nearest Neighbors

It stands for “K-Nearest Neighbor”, and the abbreviation is KNN. To put it another way, it is part of the field of supervised machine learning. Use this algorithm to solve both classification and regression problems. “K” stands for the number of nearest neighbors to a newly discovered unknown variable that must be predicted or classified. In this study we are classifying attacks by using novel architecture of KNN Classifier. Its general architecture is shown in Figure 7. The input layer contains the vector input signal (x). It is computed between the input signal vector (k) and the neighbors (n) in the hidden layer (y). The output neuron sums the linear outputs O of the hidden layer neurons. The results mentioned in [8] also shows that KNN provides a high detection rate and low false positive rate. An approach using KNN in [9] shows that it is very useful in detecting DDoS attacks.

$$O= {\displaystyle \sum }{W}_{i}k\left(K_i{n}_i\right)$$

(6)

3.3. Performance Metrics

The performance of algorithms has been calculated by showing accuracy precision, recall and F1 score. True positive rate and false positive rates has also been shown by using Confusion Matrix. Accuracy, precision, recall, and F1 Score criteria were utilized to assess the effectiveness of the strategies under consideration. The distinction between classified and misclassified clauses has been demonstrated through the use of a confusion matrix. The computations of the metrics utilized in this study are shown in the

Table 2. Presents the performance metrics.

Metric	Description
Accuracy	$Accuracy=\left[\mathrm{TP}/\left(\mathrm{TP}+\mathrm{TN}\right)\right]\times 100$
Precision	$Precision=\left(\mathrm{TP}\right)/\left(\mathrm{TP}+\mathrm{FP}\right)\times 100$
Recall	$Recall=\left(\mathrm{TP}\right)/\left(\mathrm{TP}+\mathrm{FN}\right)\times 100$
F1 Score	$F1=2\left(\frac{precision \times recall}{precision + recall}\right)$

below.

4. Results

This section demonstrates how each model performs when applied to the chosen dataset. SVM, RF, and KNN models have each been tested on a distinct dataset. There are nine assaults in the Fraud Dataset that we will use to test our model’s ability to correctly classify them.

4.1. Performance of SVM Model

A supervised machine learning model known as a support vector machine (SVM) employs classification algorithms to solve classification problems involving two groups. It is possible to train an SVM model to categorize new text after providing it with training data for each category. The performance of SVM model has been shown in the Figure 8 and Figure 9 below. Accuracy and other performance metrics of SVM is 99.8%:

4.2. Performance of Random Forests

A classification algorithm known as a “random forest” is made up of a large number of decision trees. For each tree, it attempts to create an uncorrelated forest of trees whose prediction by committee is more accurate than any individual tree’s using bagging and feature randomness. The performance of RF model has been shown in the Figure 10 and Figure 11 below. Accuracy and other performance metrics of RF is 97.5%

4.3. Performance of KNN

For both classification and regression, the KNN algorithm can be used. It’s an easy-to-use supervised machine learning algorithm. It slows down as the amount of data used grows, making it easy to implement and understand, but a major drawback. The performance of KNN model has been shown in the Figure 12 and Figure 13 below. Accuracy and other performance metrics of KNN is 98.74%:

4.4. Time Complexity (sec)

In order to check the efficiency of the models (SVM, KNN, and RF) time complexity is very important. Figure 14 indicated the time complexity (sec) of the models. SVMs are more efficient than other models (KNN, and RF).

Table 3. Presents all the performance metrics of SVM, KNN, and RF model of DDoS detection.

Model	Accuracy%	Precision%	Recall%	F1 Score%
SVM	99.8	99.07	98.32	98.5
RF	97.5	97.23	96.5	97.0
KNN	98.74	98.53	97.33	98.53

shows the comparative analysis of all models in the current study.

It can be seen from our proposed work that the proposed framework is more accurate and efficient as compared to previous studies.

Table 4. The comparison study of SVM, KNN, RF with existing ML/DL.

Reference	Model	Accuracy %	Dataset
Current Study	SVM, RF, KNN	99.8, 97.5, 98.74	Banking Fraud Detection (Kaggle)
Dawod et al. [39]	ANN Model	83.5%	IoT Banking Devices Datasets
Hanafizadeh et al. [40]	CNN-LSTM	78%, 79%	Banking Fraud Time Series Data
Yan et al. [41]	SVM	86.7%	DDoS Datasets
Mishra et al. [42]	Trees	85.55%	DDoS Datasets
Gao, Aljuhani, et al. [43,44]	ML (KNN, SVM, ANN)	83%, 84%, 81%	Banking Datasets
Rehman et al. [45]	GRU	81.7%	DDoS Datasets
Guo et al. [46]	ANN, SVM	88.5%, 91%	Real Time Dataset

below shows the comparative analysis of the current study with previous state of art methods (ML/DL) of studies.

Additionally, the proposed models have some disadvantages. The models required high computational power and specialized hardware, e.g., they needed a good GPU to accomplish the training process.

5. Conclusions

Financial institutions are particularly vulnerable because of the great monetary worth of the data they hold. Hackers can make a fortune by selling the financial information and banking passwords they have stolen. Similarly, the attack surface that may be exploited by hackers has risen in tandem with the expansion of banks’ digital footprints. Using the Banking Dataset, we intend to uncover distributed denial-of-service (DDOS) attempts against financial institutions and other organizations. For the detection of assaults on the financial industry, machine learning algorithms have been implemented. We have applied SVM, KNN and RF. Each model performed with 99.5%, 97.5%, and 98.74% accuracy, respectively, for the detection of DDOS attacks. Comparative results indicated that SVM is more robust as compared to KNN, RF and existing machine learning (ML/DL) approaches. This model is limited to offline datasets, and if we want to work on real-time datasets, we must move to real-time fraud detection applications which are based on these supervised learning models.