To address the challenges of dynamically evolving DDoS attacks across multi-environment networks, difficulty in detecting zero-day attacks, and poor generalizability and real-time performance of existing AI-based detection methods, this paper proposes a real-time, online continual learning detection framework. The framework introduces a novel dual-model cascaded decision mechanism—comprising a lightweight model (M1) for rapid inference and a high-precision model (M2) for refined classification—integrated with a human-in-the-loop feedback loop to enable confidence-driven adaptive inference and incremental model updates. A realistic attack simulation environment is built using NS-3 and DDoSim, incorporating lightweight ML models, online incremental training, and confidence scoring. Experimental results demonstrate a detection accuracy of 0.999, an average inference latency of 0.866 seconds, memory consumption of 3.632 MB, and CPU utilization of 10.05%, all significantly outperforming baseline approaches.

Detecting Distributed Denial of Service (DDoS) attacks in Multi-Environment (M-En) networks presents significant challenges due to diverse malicious traffic patterns and the evolving nature of cyber threats. Existing AI-based detection systems struggle to adapt to new attack strategies and lack real-time attack detection capabilities with high accuracy and efficiency. This study proposes an online, continuous learning methodology for DDoS detection in M-En networks, enabling continuous model updates and real-time adaptation to emerging threats, including zero-day attacks. First, we develop a unique M-En network dataset by setting up a realistic, real-time simulation using the NS-3 tool, incorporating both victim and bot devices. DDoS attacks with varying packet sizes are simulated using the DDoSim application across IoT and traditional IP-based environments under M-En network criteria. Our approach employs a multi-level framework (MULTI-LF) featuring two machine learning models: a lightweight Model 1 (M1) trained on a selective, critical packet dataset for fast and efficient initial detection, and a more complex, highly accurate Model 2 (M2) trained on extensive data. When M1 exhibits low confidence in its predictions, the decision is escalated to M2 for verification and potential fine-tuning of M1 using insights from M2. If both models demonstrate low confidence, the system flags the incident for human intervention, facilitating model updates with human-verified categories to enhance adaptability to unseen attack patterns. We validate the MULTI-LF through real-world simulations, demonstrating superior classification accuracy of 0.999 and low prediction latency of 0.866 seconds compared to established baselines. Furthermore, we evaluate performance in terms of memory usage (3.632 MB) and CPU utilization (10.05%) in real-time scenarios.