Recent research on Distributed Denial of Service (DDoS) threats within 5G networks and existing solutions will be reviewed. This review aims to highlight the limitations in current methods and set the foundation for the novel security mechanism proposed in this study. By addressing gaps in scalability, real-time traffic management, and endpoint-specific security, this research introduces a tailored mechanism that enhances 5G network defense against DDoS threats, particularly by focusing on malicious traffic originating from end-user devices.

Onoja et al. [4] , in their study DDoS Threats and Solutions for 5G Networks, present an overview of various DDoS protection strategies. Their work emphasizes Software-Defined Networking (SDN) for centralized traffic management and edge computing for localized detection. While these methods isolate some DDoS patterns, they are limited in their ability to scale across diverse 5G ecosystems, where a wide range of endpoints, from IoT devices to smart appliances, are continuously online. The study also lacks emphasis on long-term botnet monitoring and adaptive attack detection, leaving gaps in addressing threats from botnets that evolve over time or remain dormant before initiating coordinated attacks.

Similarly, studies such as Ghorbani et al. [5] and Serrano Mamolar et al. [6] rely on static rule-based mechanisms to identify DDoS patterns. These approaches are effective for predictable attack behaviors but struggle to detect advanced threats that leverage stealth or adaptive methods. Such limitations underscore the need for a more dynamic, endpoint-focused solution that addresses the vulnerabilities posed by the always-on connectivity inherent in 5G networks.

Sanmorino and Yazid [7] proposed the use of flow patterns to detect and block malicious traffic. While their methodology demonstrated success in detecting certain DDoS traffic characteristics, it heavily relied on predefined traffic patterns, which are inadequate for detecting highly adaptive and evolving attack vectors. Furthermore, cluster-based analysis methods for DDoS detection are time-consuming and often less precise, making them unsuitable for real-time applications in dense 5G deployments.

To address these limitations, this study focuses on a novel security mechanism that leverages Multi-Access Edge Computing (MEC) and the strategic use of separate switches for inbound and outbound traffic. Unlike existing solutions that often mix traffic or rely solely on centralized analysis, this approach ensures better segregation and management of network flows. By preventing the mixing of inbound and outbound traffic at the switch level, the proposed mechanism enables more precise detection of malicious traffic.

This study also incorporates Zeek, a sophisticated tool for analyzing network traffic, to improve real-time detection capabilities at the MEC layer. The proposed solution uses machine learning algorithms like Random Forest (RF), K-Nearest Neighbor (KNN), and XGBoost, trained on the CIC-DDoS2019 dataset. This dataset provides a variety of traffic features, such as “Flow Duration”, “Total Fwd Packets”, “Total Backward Packets”, “Fwd Packet Length Max”, “Bwd Packet Length Max”, “Flow IAT Mean”, “Flow IAT Std”, “Flow IAT Max”, “Fwd Packets/s”, and “Bwd Packets/s”, which are used to identify unusual patterns in traffic flows. Although Zeek is not directly integrated with the machine learning models in this study, future work should aim to integrate these components for enhanced real-time detection. This integration will ensure that threats are detected proactively, even as attack methods change.

This study’s novelty lies in its focus on endpoint-specific DDoS mitigation within 5G networks by combining MEC-based traffic analysis with ML-driven detection mechanisms. Unlike traditional methods, which often treat endpoints as secondary to overall network security, this mechanism positions endpoints as primary points of analysis. The always-on nature of 5G-connected devices makes them prime targets for botnet formation and subsequent DDoS attacks, and this solution is specifically designed to address that vulnerability.

The use of separate switches for inbound and outbound traffic further enhances the precision of detection, as it prevents the mixing of legitimate and malicious traffic, enabling faster response times. By deploying this mechanism at the MEC layer, threats can be mitigated closer to their source, reducing the strain on the central network and improving scalability in dense 5G environments.

This research introduces a robust framework for detecting and blocking DDoS attacks through continuous monitoring, malicious traffic eradication and containment ensuring both adaptability and scalability. By leveraging the CIC-DDoS2019 dataset and integrating Zeek at the edge, the study establishes a new benchmark for real-time 5G network defense, addressing gaps in prior research and paving the way for more resilient and secure 5G infrastructures.

The proposed methodology is justified as it addresses the challenges of 5G networks by detecting and mitigating Distributed Denial of Service (DDoS) attacks at the network edge. This approach leverages Multi-Access Edge Computing (MEC), which allows for real-time traffic monitoring and analysis closer to the source of malicious activity. By incorporating tools such as Zeek for traffic analysis and machine learning models—Random Forest (RF), K-Nearest Neighbor (KNN), and XGBoost—the system is capable of identifying malicious traffic patterns with high accuracy. The methodology further enhances detection efficiency by isolating inbound and outbound traffic using separate switches, ensuring precise control over network flows. Following the structured SANS Incident Response Process, the proposed system ensures a systematic approach to threat detection, containment, and mitigation, minimizing disruption to the 5G network infrastructure.

The following covers the details about the methodology chosen:

1) Flow Duration: Measures the time duration of a traffic flow. Malicious traffic often exhibits longer or irregular durations compared to normal traffic, making this feature critical for identifying anomalies.

2) Total Forward Packets: Counts the total number of packets sent in the forward direction during a flow. DDoS traffic often includes an unusually high number of packets, which can help distinguish malicious flows.

3) Total Backward Packets: Counts the total number of packets sent in the reverse direction. This feature complements the forward packet count to provide a complete picture of traffic flow behavior.

4) Forward Packet Length Max: Captures the maximum length of packets in the forward direction. DDoS attacks may include large packets to overwhelm the target, making this feature valuable.

5) Backward Packet Length Max: Captures the maximum length of packets in the reverse direction. Similar to the forward packet length, it aids in identifying abnormal traffic patterns.

6) Flow Inter-Arrival Time (IAT) Mean: Measures the average time between packets in a flow. Malicious traffic often exhibits irregular inter-arrival times compared to legitimate traffic.

7) Flow Inter-Arrival Time (IAT) Standard Deviation: Quantifies the variability in inter-arrival times. High variability can indicate irregular traffic patterns typical of DDoS attacks.

8) Flow Inter-Arrival Time (IAT) Max: Captures the maximum inter-arrival time within a flow. This feature provides additional insight into traffic irregularities.

9) Forward Packets per Second (Fwd Packets/s): Calculates the rate of packets sent in the forward direction. DDoS traffic often involves a high packet rate, making this feature crucial.

10) Backward Packets per Second (Bwd Packets/s): Calculates the rate of packets sent in the reverse direction. It complements the forward packet rate to identify anomalous patterns.

These features were chosen because they collectively capture the characteristics of network traffic, including volume, timing, and flow behavior. Such metrics are critical for differentiating between legitimate and malicious traffic in real-time. This comprehensive preparation ensures the network is equipped to handle DDoS threats effectively.

At the Multi-Access Edge Computing (MEC) layer, the AI-trained detection program runs continuously to analyze and classify the traffic. The Random Forest (RF), K-Nearest Neighbor (KNN) and XGBoost model detects anomalies and determine whether the traffic is good or bad. Once harmful traffic is identified, it is contained using the outbound switch, preventing it from reaching the core network. This approach ensures that malicious traffic is blocked at the edge, minimizing the risk of disruption to the 5G network while allowing legitimate traffic to flow smoothly.

By leveraging Zeek for deep traffic analysis, detailed logs are generated to pinpoint the root cause of the DDoS attack. If a network provider uses a single switch with VLANs for traffic separation, the compromised VLAN segment can be isolated, and the bad traffic can be purged. Once the source is identified, corrective measures are applied to remove or neutralize the malicious devices, such as shutting down affected endpoints, updating security rules, or blacklisting the source IPs.

This process ensures that the network is not only protected from immediate threats but also cleaned thoroughly, reducing the chances of future attack recurrence.

Comprehensive documentation is completed, ensuring that all aspects of the incident, including events, actions taken, and challenges faced, are clearly recorded. An incident report is prepared, offering a detailed, step-by-step analysis of the incident while answering critical questions: Who, What, Where, Why, and How. This report helps identify areas where the response was effective and where improvements are needed.

Additionally, Zeek’s capability to log details of the attack can be analyzed to identify patterns of malicious traffic. These logs provide insights into the nature of the attack and enable the development of preemptive measures to mitigate similar threats in the future. By applying these lessons, the incident response process is refined, ensuring better preparedness and stronger defense against future DDoS threats within the 5G network.

The CSIRT uses the report to identify specific ways to improve team performance by highlighting any issues that were not handled efficiently. Metrics derived from the incident, such as response time or detection accuracy, are established as benchmarks for future comparisons. Finally, a lessons learned meeting is conducted with the CSIRT team and key stakeholders to discuss findings and implement improvements immediately. By applying these lessons, the incident response process is refined, ensuring better preparedness and stronger defense against future DDoS threats within the 5G network.

This chapter presents the key requirements, design considerations, and development details of the proposed system to detect and mitigate DDoS threats in 5G networks using edge computing. It defines the functional and non-functional requirements necessary for implementing the solution, emphasizing the capabilities and limitations of the proposed methodology.

Functional requirements define the essential tasks and behaviors that the system must perform to achieve its objectives. In this research, the focus is on detecting and mitigating DDoS attacks using Random Forest (RF), K-Nearest Neighbor (KNN) and XGBoost as the machine learning model, while leveraging Multi-Access Edge Computing (MEC) and network traffic separation strategies.

The functional requirements are as follows:

Non-functional requirements focus on the overall quality, performance, and usability of a system rather than its core functions. These attributes are vital to ensure the Intrusion Detection System (IDS) for DDoS attacks operates effectively and remains practical in real-world 5G environments.

The non-functional requirements for this research include:

By addressing these non-functional requirements, the system not only fulfills its purpose but also ensures seamless integration into real-world scenarios, offering a reliable and scalable defense against DDoS attacks in the 5G network environment.

The design of the proposed system focuses on detecting and mitigating DDoS attacks originating from compromised end-user devices within the 5G network. The system leverages Multi-Access Edge Computing (MEC), Zeek Intrusion Detection System (IDS), and a Random Forest (RF), K-Nearest Neighbor (KNN) and XGBoost-based detection model to analyze and filter malicious traffic. The core principle of the design ensures that legitimate and malicious traffic are separated, with a clear focus on precision and efficiency at the network edge.

The design components and flow of the system are as follows:

1) Malicious Traffic from End-User Devices: The traffic originates from end-user devices, which may be compromised and used to generate DDoS attacks. This malicious traffic is transmitted through the 5G Gateway and 5G Base Station (BTS) to the network.

2) Traffic Segregation at Switch IN: All traffic, both legitimate and malicious, is directed to Switch IN. This switch serves as the entry point for analyzing traffic flows.

3) Traffic Analysis at MEC Layer: At the Multi-Access Edge Computing (MEC) layer, the traffic is sent for analysis. The MEC is equipped with the Zeek IDS and the Random Forest (RF), K-Nearest Neighbor (KNN) and XGBoost detection models trained on the CIC-DDoS2019 dataset.

4) Traffic Filtering and Containment:

5) Traffic Isolation: To ensure precision, inbound and outbound traffic are managed using separate switches (Switch IN and Switch OUT). This prevents the mixing of good and bad traffic, enhancing detection accuracy and improving containment efficiency. In cases where a single switch is used for a Base Station (BTS), VLANs are configured to separate inbound and outbound traffic flows.

Design Benefits:

This design ( Figure 2 ) ensures a robust, scalable, and efficient system for mitigating DDoS attacks, protecting the 5G network from disruptions caused by malicious end-user devices.

A DDoS attack using a botnet is a coordinated cyber assault that aims to disrupt the normal functioning of a target server or network. In this type of attack, a botnet a network of compromised devices, often called “bots” is controlled by a central entity, such as a hacker or malware operator. Once an attack is initiated, these infected devices generate and send an overwhelming amount of traffic toward the target system, as illustrated in Figure 3 .

The primary objective of a DDoS attack is to overwhelm the target’s resources, such as bandwidth, processing power, or memory, ultimately rendering services inaccessible to legitimate users. Botnets can include thousands or even millions of infected devices, amplifying the scale and severity of the attack. The consequences of such attacks are significant, often causing financial losses, operational disruptions, and reputational harm. These impacts make DDoS attacks a serious challenge for network administrators and security professionals, particularly within highly connected environments like 5G networks.

The Detection and Mitigation Mechanism at the Multi-Access Edge Computing (MEC) layer is designed to handle incoming network traffic in real time. This system is created to detect Distributed Denial of Service (DDoS) attacks and block malicious traffic while ensuring legitimate traffic is forwarded seamlessly. The process is carried out step by step as shown in Figure 4 .

Step 1: Start and Real-Time Traffic Collection

All incoming traffic is collected continuously by the MEC layer from Inbound Switch. A Traffic Collector is used to monitor and capture live network traffic. This ensures that no packet bypasses the system. The traffic is prepared for further analysis.

Step 2: Feature Extraction

After the traffic is collected, important features are extracted from the packets. Attributes like packet size, protocol type, flow duration, and packet rate are analyzed and structured. This step is carried out in real-time to prepare the data for classification. The selected features are critical for distinguishing between legitimate and malicious traffic by providing insights into the flow characteristics of the network. By focusing on these key attributes, the model can efficiently identify patterns indicative of DDoS attacks. Accurate and timely feature extraction ensures the system’s responsiveness and effectiveness in detecting malicious traffic in real-world scenarios.

Step 3: Feature Set Processing by the Trained Machine Learning Algorithm

The extracted feature set is processed using the pre-trained Random Forest (RF), K-Nearest Neighbor (KNN) and XGBoost Machine Learning algorithm. This model was trained earlier on the CIC-DDoS2019 dataset. The features are analyzed, and the traffic is classified into two categories:

The classification is performed quickly and efficiently using decision trees in the Random Forest (RF), K-Nearest Neighbor (KNN) and XGBoost models.

Step 4: Confirmation of DDoS Attack

If the traffic is classified as malicious, the system checks whether the patterns confirm a DDoS attack. If no attack is detected, the traffic is forwarded as legitimate. However, if a DDoS attack is confirmed, the system immediately moves to mitigation.

Step 5: Mitigation of Malicious Traffic

Mitigation measures are applied to block or reduce the impact of malicious traffic. Several actions are taken:

These actions are carried out in real-time, ensuring that the network is protected without delays.

Step 6: Forwarding Legitimate Traffic

Traffic classified as legitimate is forwarded through the Outbound Switch to its intended destination or the core network. This ensures that normal users experience no disruptions and that valid traffic continues uninterrupted.

This project focuses on designing an Intrusion Detection System (IDS) for detecting and mitigating DDoS attacks using machine learning techniques, specifically the Random Forest (RF), K-Nearest Neighbor (KNN) and XGBoost Classifier. The project utilizes the CIC-DDoS2019 dataset, a real-world dataset that contains diverse traffic patterns, including malicious and legitimate flows. The dataset is preprocessed to remove irrelevant columns, handle missing values, and prepare features for model training. The input features are analyzed, and the target labels (attack or normal) are defined for classification purposes. The data is split into training and testing sets, with 80% used for model learning and 20% for evaluation. A Random Forest (RF), K-Nearest Neighbor (KNN) and XGBoost model is trained to classify network traffic accurately, with performance assessed using metrics such as accuracy and a confusion matrix. Hyperparameter optimization is performed using GridSearchCV to improve the model’s performance. This project demonstrates how machine learning can be leveraged to detect malicious traffic patterns in real time, contributing to 5G network security. The structured approach ensures that the system is robust, scalable, and capable of effectively differentiating between normal and DDoS attack traffic.

The first step involves importing all the necessary Python libraries ( Figure 5 ) required for data loading, preprocessing, feature selection, model building, and evaluation. Libraries such as Pandas and NumPy form the backbone of data handling. Pandas is utilized to work with tabular data, enabling easy reading, cleaning, and manipulation of datasets. NumPy supports numerical operations, such as array handling and mathematical computations, which are essential for machine learning tasks.

For visualization, Matplotlib and Seaborn are imported. These libraries are used to create graphical representations, such as correlation matrices and confusion matrices, making it easier to analyze and interpret data patterns.

From Scikit-learn, a comprehensive machine learning library, tools like train_test_split are used for splitting datasets into training and testing subsets. Preprocessing utilities such as StandardScaler and LabelEncoder standardize and encode data, ensuring it is suitable for model training. Feature selection is achieved using SelectKBest and mutual_info_classif, which identify the most relevant features for classification tasks.

The machine learning models include RandomForestClassifier, KNeighborsClassifier, and XGBoost (from the XGBoost library). These algorithms are the core of the detection mechanism, trained to classify traffic as benign or malicious. The SMOTE library (Synthetic Minority Over-sampling Technique) is employed to handle class imbalances in the training data, ensuring the models perform effectively even with skewed datasets.

Additional utilities like joblib enable saving and loading trained models, while evaluation metrics such as classification_report, confusion_matrix, roc_curve, and auc assess model performance. By importing these libraries at the start, a comprehensive toolkit is established for building a robust DDoS detection system.

The dataset, CIC-DDoS2019, is loaded into the Python environment using the pd.read_csv() function from the Pandas library ( Figure 6 ). This function reads the data from a CSV file and converts it into a DataFrame, a table-like structure that allows for easy access, analysis, and manipulation of the data.

After loading, the script displays the column names using the columns attribute of the DataFrame, providing an overview of the dataset’s features. The shape of the dataset, representing the number of rows and columns, is displayed using the .shape attribute, giving an idea of the dataset’s size.

To explore the dataset ( Figure 7 ) more effectively, the Pandas option display.max_columns is set to None, ensuring that all columns are visible when viewing the DataFrame. The dataset itself is printed, which allows a complete view of its structure, column names, and sample values.

This preliminary exploration is essential for understanding the dataset and preparing for further analysis. Key details such as column names, data types, and the presence of missing values will be examined in subsequent steps to address any issues and prepare the data for modeling.

Missing or infinite values can cause problems during model training. To address this, infinite values were first replaced with NaN using the replace() function. Then, rows containing NaN values were removed using the dropna() function. This ensured that the dataset was clean and ready for analysis. Handling these values also helped prevent errors during the training process. The code below was used:

# Replace infinite values with NaN and drop rows with NaN values

dataset.replace([np.inf, -np.inf], np.nan, inplace=True)

dataset.dropna(inplace=True)

The selected classes encompass a range of benign and malicious traffic, including denial-of-service attacks (DrDoS) targeting various protocols (DNS, LDAP, MSSQL, NTP, NetBIOS, SNMP, UDP), as well as other attack types such as LDAP, MSSQL, NetBIOS, Portmap, Syn, TFTP, UDP, UDP-lag, and WebDDoS. This selection enables the model to learn distinct patterns associated with these prevalent attacks, contributing to a more accurate and robust intrusion detection system. By concentrating on these specific classes, the research aims to provide valuable insights into their characteristics and improve mitigation strategies against them.

selected_classes = ['Benign', 'DrDoS_DNS', 'DrDoS_LDAP', 'DrDoS_MSSQL', 'DrDoS_NTP', 'DrDoS_NetBIOS', 'DrDoS_SNMP', 'DrDoS_UDP', 'LDAP', 'MSSQL', 'NetBIOS', 'Portmap', 'Syn', 'TFTP', 'UDP', 'UDP-lag', 'UDPLag', 'WebDDoS']

dataset = dataset [dataset ['Label'].isin(selected_classes)]

The dataset included many features, but not all of them were equally useful for detecting DDoS attacks. A set of ten important features was selected based on domain knowledge and their relevance to network traffic. These features included Flow Duration, Total Fwd Packets, and Flow IAT Mean. By selecting only these features, the complexity of the dataset was reduced, and the model’s performance improved. The selected features are shown below:

selected_features = ['Flow Duration', 'Total Fwd Packets', 'Total Backward Packets', 'Fwd Packet Length Max', 'Bwd Packet Length Max', 'Flow IAT Mean', 'Flow IAT Std', 'Flow IAT Max', 'Fwd Packets/s', 'Bwd Packets/s'] X = dataset [selected_features] y = dataset ['Label']

Understanding the relationships between features is essential for improving the model’s accuracy. A correlation matrix was created to identify how features were related to one another. The matrix was visualized using a heatmap, which made it easier to see which features had strong correlations. Features with high correlation values often carry similar information, so this step also guided further feature selection. The correlation heatmap was created with the following code ( Figure 8 ).

To train and test the machine learning models, the dataset was divided into two parts: training data (80%) and testing data (20%). This split ensured that the models were trained on one set of data and evaluated on another. Stratified sampling was used to maintain a balanced distribution of classes in both subsets. The following code was executed for this step:

X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=0.2, random_state=42, stratify=y)

The dataset was imbalanced, meaning that some classes had significantly fewer samples than others. To address this, the Synthetic Minority Oversampling Technique (SMOTE) was applied to the training data. SMOTE created synthetic samples for the minority classes, making the dataset more balanced. A balanced dataset improves the model’s ability to detect all classes effectively.

Machine learning models perform better when features are on a similar scale. To achieve this, the StandardScaler was used to normalize the data. After normalization, all features had a mean of 0 and a standard deviation of 1. This step ensured that no feature dominated others due to differences in scale.

The confusion matrices provide a visual assessment of the classification performance for three different machine learning models: Random Forest (RF), K-Nearest Neighbors (KNN), and XGBoost (XGB). Each matrix reveals the models’ strengths and weaknesses in accurately identifying various network traffic categories, including both benign traffic and different types of attacks.

In this phase, the implementation of the Random Forest (RF), K-Nearest Neighbor (KNN), and XGBoost models was tested for their accuracy before deploying them in a Multi-Access Edge Computing (MEC) environment. MEC allows data to be processed closer to the network’s edge, significantly reducing latency and improving response times for real-time applications. This setup is particularly beneficial for applications that require fast detection and mitigation of network threats, such as Distributed Denial-of-Service (DDoS) attacks.

Zeek, an open-source Intrusion Detection System (IDS), plays a key role in monitoring network traffic in real time. Zeek captures traffic flow data and extracts relevant features, such as Flow Duration, Total Fwd Packets, Fwd Packet Length Max, Flow IAT Mean, and Bwd Packets/s. These features are then sent to the pre-trained machine learning models (RF, KNN, and XGBoost) for classification. Based on the input features, the models predict whether the traffic is benign or malicious.

In this phase, the models were tested by simulating DDoS attacks using Python code. When the models classify traffic, legitimate traffic is forwarded to the core network, while malicious traffic is blocked and contained at the MEC layer. This process is dynamic, occurring in real-time without the need for intermediate storage like CSV files, which allows immediate action against threats.

The trained models and Python code were uploaded to a Virtual Private Server (VPS) for testing. The models were saved as .pkl files and loaded into the testing server, where they were used to simulate and analyze traffic. This setup ensures that the models can be tested under live conditions before full deployment.

For future work, the goal is to integrate the trained machine learning models directly with Zeek in the MEC environment. This integration will enable seamless, real-time detection and mitigation of DDoS attacks. By leveraging the low-latency characteristics of MEC, this system aims to block malicious traffic as soon as it is detected, improving overall network security without relying on cloud resources or manual intervention.

On an Ubuntu 22.04 LTS machine ( Figure 12 ), the Python script mec_traffic_monitor.py was created and executed to simulate real-time traffic monitoring and classification. The pre-trained .pkl files for the Random Forest (RF), K-Nearest Neighbor (KNN), and XGBoost models, the models, along with the StandardScaler, were previously downloaded from Google Colab, were uploaded and placed in the same directory as the script. Using the python3 command, the script initiated a dynamic process to simulate traffic flows, with a portion of the traffic mimicking malicious DDoS attacks. Legitimate traffic was identified and forwarded, while malicious traffic was blocked, and the associated IP addresses were recorded in a file named blacklist.txt. A one-second delay (time.sleep(1)) was introduced to regulate the speed of classification, making the results easy to observe in the terminal. It is important to note that this is only a demonstration of the proposed idea. To fully implement this system in a real-world scenario, a complete software solution would need to be developed to run on the MEC layer, capable of handling live traffic streams with scalability and robustness.

In Table 2 , we present the evaluation results for the Random Forest (RF), K-Nearest Neighbor (KNN), and XGBoost models, which were trained on the CIC-DDoS2019 dataset. The models were evaluated using key classification metrics, including precision, recall, F1-score, and accuracy. These metrics allow for a comprehensive understanding of the models’ effectiveness in classifying network traffic into benign and malicious categories.

The evaluation of the three models revealed the following results:

The following performance comparison bar chart ( Figure 13 ) illustrates the accuracy of the models. From the chart, we observe that Random Forest (RF) and XGBoost consistently outperformed KNN in terms of overall accuracy. Despite KNN performing well on certain traffic types, the more complex nature of some DDoS attacks required the more robust models, RF and XGBoost, to yield better results.

The models performed well in distinguishing benign traffic from attacks such as DrDoS_NTP, Syn, and TFTP. However, the challenges were evident for attacks with low frequencies, such as DrDoS_LDAP and WebDDoS, where recall values were notably lower.

Despite the positive results, the study faced several limitations. The most significant challenge is the cost of deploying Multi-Access Edge Computing (MEC) infrastructure at the edge of the network, which could impede its scalability in real-world applications. Moreover, the project did not result in a fully deployable solution that could run autonomously at the MEC layer. Although the machine learning models were validated, the implementation was limited to simulations and requires substantial development to transition into a practical deployment. Additionally, the research focused only on network-layer DDoS attacks, overlooking application-layer threats, which also pose considerable risks in 5G environments.

We successfully integrated the trained RF, KNN, and XGBoost models with Zeek IDS for real-time traffic monitoring and DDoS detection. Future work should focus on fully implementing this system at the MEC layer, ensuring it can autonomously process live traffic and mitigate attacks in real time. Additionally, research should aim to reduce the cost of MEC deployment by exploring shared infrastructure or optimizing resource allocation. Expanding the system to address application-layer DDoS attacks and incorporating other machine learning algorithms could enhance its accuracy and adaptability. This will make the system more robust against evolving threats, enabling it to effectively secure 5G networks at scale.