Sequence-Level DDoS Detection Using Transformer Encoders on Aggregated Network Traffic

DoS and DDoS attacks remain a major threat to service availability in modern IP and IoT networks, yet many learning-based detectors depend on dataset-specific flow exports, feature tables, or preprocessing conventions. This article presents a unified sequence-level detection pipeline designed to process heterogeneous public datasets through the same representation. Raw PCAP/PCAPNG traces from CIC-IDS-2017, CIC-DDoS-2019, and CICIoT2023 are converted into one-second aggregates per destination host using header-only features derived from IP, TCP, UDP, and ICMP metadata, source diversity, and packet timing. Dataset-specific annotations are used only to assign binary DoS/DDoS labels to this common representation. The resulting time-ordered aggregates are grouped into fixed-length temporal windows and classified by a compact transformer encoder, TemporalDosTransformer, which produces a window-level attack probability. The study focuses on whether a clean PCAP-based aggregation and labelling flow can support consistent DoS/DDoS detection across multiple datasets without payload inspection, flow-exporter dependence, or dataset-specific feature engineering.