DDoS attacks remain one of the top cyber threats targeting the financial, health care, retail, gaming, and political sectors, which affects Internet service disruption, data or monetary loss. Security experts have predicted that the development of 5G technology will increase the frequency and the vector of DDoS attacks. Moreover, enhanced DDoS attack technology utilises artificial intelligence [1], which will escalate the level of difficulty to identify malicious traffic correctly to mitigate the attack effectively. The Internet service provider (ISP) is the connector between the users and the Internet. Deploying DDoS mitigation systems within the ISP domain can offer an efficient solution. Therefore, we propose a dynamic learning system (DLS) for the ISP. The DLS is an unsupervised ensemble model using the Complete Autoencoder (CA) as base learners to classify network traffic. The utmost difference between the CA and the regular Autoencoder is that the CA exploits the imbalanced characteristic of the attack data to generate a binary classification via a class switch. When the predicted number of normal IP addresses is over 50% of the total IP addresses, the CA swaps the class of the IP addresses. The CA is directed by a reference object (RO), which is either a reference limit or the mean of a reference error function ($\overline{RL1}$), to furnish the automation to the DLS. The DLS was trained with a TCP-ICMP flood attack and tested with a UDP-TCP and a UDP-TCP-ICMP flood attack data set. The average Recall, Precision and F1 Score are all above 0.97. Additionally, the DLS outperformed the K-means and the Self-Organising Map models on a UDP flood attack data set.

DDoS攻击仍然是针对金融，医疗保健，零售，游戏和政治领域的主要网络威胁之一，它会影响Internet服务中断，数据或金钱损失。安全专家预测，5G技术的发展将增加DDoS攻击的频率和媒介。此外，增强的DDoS攻击技术利用人工智能[1]，这将提高识别正确流量的难度，从而有效缓解攻击。Internet服务提供商（ISP）是用户和Internet之间的连接器。在ISP域中部署DDoS缓解系统可以提供有效的解决方案。因此，我们提出了一种用于ISP的动态学习系统（DLS）。DLS是一种无监督的集成模型，使用完全自动编码器（CA）作为基础学习者来对网络流量进行分类。CA与常规自动编码器之间的最大区别在于，CA利用攻击数据的不平衡特性通过类开关生成二进制分类。当正常IP地址的预计数量超过总IP地址的50％时，CA会交换IP地址的类别。CA由参考对象（RO）指导，该对象可以是参考极限或参考误差函数的平均值（当正常IP地址的预计数量超过总IP地址的50％时，CA会交换IP地址的类别。CA由参考对象（RO）指导，该对象可以是参考极限或参考误差函数的平均值（当正常IP地址的预计数量超过总IP地址的50％时，CA会交换IP地址的类别。CA由参考对象（RO）指导，该对象可以是参考极限或参考误差函数的平均值（$\overline{\mathrm{[R}\mathrm{大号}\mathrm{1个}}$），为DLS提供自动化功能。DLS经过了TCP-ICMP泛洪攻击的培训，并经过了UDP-TCP和UDP-TCP-ICMP泛洪攻击数据集的测试。平均召回率，精度和F1得分均高于0.97。此外，DLS在UDP泛洪攻击数据集上的表现优于K-means和自组织映射模型。