Abstract
DDoS attacks are a constant threat to servers, and anything connected to them, but a flash event, an influx of high demand for a service, can be confused with a DDoS attack. Both overwhelm the servers, but DDoS intentionally does this, while flash event has no intention other than using the servers. One can use neural network to detect the difference between the two, but humans will not know how much each of the features affected the decision making. Using XAI one can see visually how each feature affected the prediction of the model. To do this, datasets that contain both flash events and DDoS attacks must be found or created. To create the datasets for training, testing, and evaluating the models, the World Cup 1998 dataset was used for the flash event, and for the DDoS attack two separate datasets were chosen the CIC DDoS 2019 dataset and the BOUN dataset. Each DDoS dataset was mixed individually with the flash event dataset to create the datasets for this project. Then the two datasets were used to train and test a neural network model that would give good scores for both datasets. After that, the model would be trained with one data set but tested with the other to see what the results would be. After putting the predictions of the model into a XAI, it was determined that the feature with the greatest influence on the decision making was for CIC – DDoS 2019 dataset and the BOUN dataset is Time_Difference based on LIME, but for SHAP Time_Difference was not able to be calculated for the model when CIC DDoS 2019 was used for testing. However, Occurrence was the feature with the highest influence according to the SHAP results for all combinations of training and testing datasets.