Introduction

Traffic prioritization is an important aspect of network management, as the continual sharing of different types of network traffic across a bottleneck link poses several challenges to maintaining service quality1. Most modern networks have extensive queues/nodes, meaning large changes in traffic volume or link capacities downstream have a ripple effect, creating complex dependencies across the network. There are many tools available to network operators to manage such dependencies. A priority mechanism allows certain qualifying packets to pass through an interface before others2. The most common modern prioritization method is based on the DiffServ architecture, which integrates modular QS techniques for packet classification and scheduling at each router.

The end-to-end delay, jitter, and loss in network flows can be greatly affected by the underlying prioritization strategy. For a common two-class setup separating priority and best effort traffic, it is found that the two flow types exhibit non-trivial fair coexistence, highly dependent on the utilization of the bottleneck link3. It is shown how even narrowly different flow technologies may behave quite differently when coexisting with the same class of competition, as other factors such as flow timeout values may dominate the fairness effect in some cases. Although the DiffServ architecture has been widely adopted in both wireline and wireline networks, the results indicate that contention-based fairness may be difficult to achieve absent information discernible only to packets of the same class4. Finally, it is pointed out that there are broad implications for network QWAN technologies, such as the choice of appropriate marking policies, the importance of careful traffic sizing within a given PHB, and the potential advantages of adapting packet marking behavior to network conditions.

To detect manipulations in DSCP-based traffic prioritization in network environments and assess their impact on network performance using deep learning techniques like Long Short-Term Memory (LSTM) networks, Convolutional Neural Networks (CNN), and Recurrent Neural Networks (RNN). First, there is a need identifying abnormal patterns in DSCP marking5. Then model the impact of such manipulations on network performance metrics such as latency, throughput, and jitter. Develop predictive models to detect traffic manipulation in real-time. Howeve the key research problems associated to this lie with “Data networks” which are nowadays ubiquitous, as billions of users are constantly connected to the Internet, and many devices are expected to communicate among themselves, following the conceptualization of the Internet of Things6. Network communication is mission-critical for a wide range of services, as an increasingly large amount of time is spent by users online and many mission-critical services depend entirely on network connectivity7.

Another research problem, lie with the key insight that spurs the Internet’s revolution in its ability to send data packets through a complex architecture of packet-switched networks, with seamless communication to the end-user on top of almost arbitrary physical infrastructures8. The capability of network elements to prioritize and differentiate traffic has meant that time-sensitive applications can be fulfilled accurately, if a packet is tagged with a suitable DSCPt, then intermediary systems should grant it precedence, possibly delaying others9.

The final research problem highlited by this study lies with the fact that network or system managers are expected to set up QoS parameters accurately. The lifetime value of packets may be overestimated or underestimated, and the QoS structure of the network may not suit the packet needs10. In other cases, it could be that network administrators try to enforce inadequate QoS profiles at their advantage11. Potential malicious actions may lead to traffic throttling and disrupted communications, especially beyond specific network domains.

Thus, this current research seeks to investigate the impact of traffic prioritization manipulations over typical networks. First, a methodology was defined to detect such misconfigurations over the operational network. Second, the consequences of this packet roam in terms of network performance are characterized and quantified, based on both real data and the use of theoretical models.

This research contribution extends network security landscape by focusing on real-time detection. The research addresses the key challenges in DSCP traffic manipulation and provide innovative solutions to ensure network fairness, security, and optimal performance in the following ways:

  • The development of real-time traffic monitoring systems capable of detecting DSCP manipulation as it occurs. These systems leverage high-speed packet analysis, deep learning models, and edge computing to ensure fast and efficient detection of traffic prioritization violations. Unlike offline models that analyze logs after manipulation has already affected network performance, real-time systems can alert administrators immediately and trigger automated countermeasures to prevent disruptions. Implementing edge-based LSTM models on routers or switches to detect and block manipulated DSCP traffic in real-time before it affects critical services like VoIP and streaming.

  • The integration of forensic investigation frameworks that utilize machine learning and statistical analysis to trace the source of DSCP manipulation attacks. This includes identifying rogue devices, misconfigured network elements, or intentional QoS attacks by malicious insiders or external entities. Security teams can identify and mitigate threats faster, reducing the risk of service degradation caused by unauthorized DSCP modifications. Correlating packet anomalies with network logs, allowing administrators to pinpoint the exact point where DSCP manipulation occurred.

  • The development of AI-driven traffic engineering mechanisms that dynamically adjust QoS policies in response to detected DSCP violations. By leveraging reinforcement learning (RL) and self-organizing networks (SONs), these systems ensure that network resources are fairly allocated based on traffic needs rather than manipulated priority markings. Ensures that high-priority applications receive their required bandwidth even when DSCP manipulation occurs, thereby preventing performance degradation for critical services. An RL-based QoS controller that automatically reclassifies DSCP markings when abnormal traffic patterns are detected, ensuring that legitimate EF and AF41 traffic is not downgraded due to manipulation attempts.

  • The creation of publicly available, large-scale datasets containing simulated DSCP manipulation attacks to facilitate benchmarking of AI models for QoS anomaly detection. These datasets incorporate various attack scenarios, such as DSCP spoofing, traffic tunneling, and bandwidth starvation attacks. Enables researchers and practitioners to train and evaluate deep learning models on realistic data, leading to more robust and generalizable detection mechanisms. A dataset containing millions of DSCP-labeled packets, where some flows have been artificially altered to simulate real-world manipulation attacks, allowing researchers to test the effectiveness of LSTMs, CNNs, and RNNs for detection.

The remaining part of the paper is organized as follows: Section “Related work” present the literature review of the research. Section “Conceptualization of the research model” presented the models. Section “Experimental analysis” present the experimental analysis. Section “Results and discussion” present the results and discussion of the paper.

Related work

The Differentiated Services Code Point (DSCP) is a crucial component in Quality of Service (QoS) mechanisms, ensuring prioritized delivery of specific network traffic types. However, DSCP-based traffic prioritization manipulations can degrade network performance, affecting latency-sensitive applications such as VoIP, video conferencing, and real-time gaming. With the increasing complexity of modern networks, machine learning (ML) and deep learning (DL) techniques—such as Autoencoders, Long Short-Term Memory (LSTM) networks, Convolutional Neural Networks (CNN), and Recurrent Neural Networks (RNN)—are being leveraged to detect and mitigate such manipulations. This literature review examines existing research in DSCP-based traffic management, QoS violations, and deep learning applications in network anomaly detection.

DSCP, as part of the Type of Service (ToS) field in the IP header, assigns priority levels to packets, ensuring efficient traffic differentiation. Expedited Forwarding (EF) (DSCP 46) is used for real-time applications, while Assured Forwarding (AF41) (DSCP 34) is assigned to critical business traffic, and CS0 (DSCP 0) represents best-effort traffic. Research by Zhang et al.12 highlights that improper DSCP assignments can significantly impact network latency, jitter, and packet loss, particularly in congestion scenarios.

Network traffic prioritization can be manipulated deliberately or unintentionally due to misconfigurations, security attacks, or QoS policy violations. Studies such as Smith et al.13 indicate that attackers may falsely mark low-priority traffic (CS0) as high-priority EF traffic to gain bandwidth advantages, leading to unfair resource allocation. Similarly, QoS misconfigurations may cause downgrading of mission-critical traffic, affecting real-time communication and cloud services.

Autoencoders are widely used in unsupervised anomaly detection, learning the normal distribution of DSCP-tagged traffic and flagging deviations. Yu et al.14 demonstrated that Autoencoders can effectively detect manipulated DSCP values by analyzing reconstruction errors in network traffic datasets. Their approach achieved a 95% accuracy rate in anomaly detection, outperforming traditional statistical methods.

Custura et al.15 conducted extensive measurements to analyze how Differentiated Services Code Point (DSCP) markings are altered across various networks. They utilized a set of probes to send packets with specific DSCP values through different network paths, observing and recording any modifications to these values. The study encompassed both core internet routers and mobile broadband (MBB) networks to provide a comprehensive view of DSCP remarking behaviors. The study revealed that in core internet routers, approximately 83% were transparent to DSCP markings, 6.4% bleached the DS field, and 4.7% reset the upper three bits (ToS bleach). In contrast, MBB networks showed only 5% transparency to DSCP markings, with 48.3% of routers remarking to AF13, 21.6% to AF12, followed by AF11 and AF21. These findings indicate significant variability in DSCP handling across different network types, highlighting challenges in implementing end-to-end Quality of Service (QoS) based on DSCP markings.

Striegel and Manimaran16 proposed a method to provide heterogeneous Quality of Service (QoS) to multicast groups using dynamic DSCPs without maintaining per-group state information in the DiffServ core. The authors addressed the challenges posed by the inherent heterogeneous nature of QoS multicasting and the sender-driven nature of DiffServ by presenting a scalable approach that leverages dynamic DSCP assignments. The proposed method demonstrated the feasibility of supporting heterogeneous QoS requirements in multicast scenarios without imposing additional state information on core routers. This approach enhances the scalability and efficiency of DiffServ multicasting, making it more adaptable to the diverse QoS demands of modern applications.

Alarood et al.17 developed a notification system to detect and alert on unauthorized modifications of DSCP values, which can be indicative of network attacks or misconfigurations. The system monitors network traffic for DSCP anomalies and generates notifications to network administrators when such anomalies are detected. The implementation of the notification system improved the detection of DSCP modification attacks, allowing for prompt responses to potential security threats. This proactive approach enhances the overall security and reliability of networks utilizing DSCP for traffic prioritization.

Yaseen et al.18 introduced a mechanism within Software-Defined Networking (SDN) environments to manage flow priority and ensure continuity. The authors designed and implemented a control mechanism that dynamically adjusts flow priorities based on network conditions and application requirements, leveraging the centralized control capabilities of SDN. The proposed mechanism effectively managed network flows, ensuring that high-priority traffic received the necessary resources while maintaining overall network performance. This approach demonstrated the potential of SDN to enhance Quality of Service (QoS) by providing fine-grained control over traffic flows.

Malikovich et al.19 proposed a traffic filtering method based on DSCP values to prevent certain types of network attacks. By analyzing DSCP markings, the method identifies and filters out malicious traffic that exploits DSCP for unauthorized prioritization or other nefarious purposes. The DSCP-based filtering method successfully identified and mitigated specific attack vectors, enhancing network security. This approach underscores the importance of monitoring and controlling DSCP values to prevent their misuse in network attacks.

Daoud and Qu20 conducted a comparative study to assess the impact of DSCP markings on the Quality of Service (QoS) of Voice over IP (VoIP) and Signaling System No. 7 (SS7) based phone calls. They performed experiments measuring various QoS parameters, such as latency, jitter, and packet loss, under different DSCP marking scenarios. The study found that appropriate DSCP markings significantly improve the QoS for both VoIP and SS7-based phone calls. However, the sensitivity to DSCP markings varied between the two, with VoIP calls showing more pronounced improvements. This highlights the necessity of proper DSCP configuration to ensure optimal call quality in different telephony systems.

LSTM networks are effective for analyzing sequential dependencies in network traffic. Research by Kim et al.21 applied LSTM models to detect DSCP manipulations by monitoring latency, throughput, and jitter patterns over time. Their results showed that LSTM models can predict DSCP-based QoS violations with an F1-score of 0.92, demonstrating their effectiveness in identifying delayed or misclassified packets.

CNNs are typically used for image recognition, but recent studies have applied them to network traffic classification. Wang et al.22 used CNNs to classify DSCP-tagged traffic flows, achieving 98% accuracy in detecting manipulated traffic. The spatial feature extraction capability of CNNs enables them to identify subtle changes in DSCP patterns that traditional rule-based systems may overlook.

RNNs, particularly Gated Recurrent Units (GRUs), have been used in predictive analysis of traffic behavior. Research by Ahmed et al.23 implemented an RNN-based system to forecast network performance degradation caused by DSCP manipulation. Their findings revealed that RNNs could predict QoS violations 10 s in advance, allowing for proactive mitigation strategies.

Existing research highlights the significance of deep learning in detecting DSCP-based traffic manipulations and their impact on network performance. Autoencoders, LSTMs, CNNs, and RNNs provide promising results in anomaly detection, traffic classification, and QoS violation prediction. However, challenges such as false positives, class imbalance, and adaptive attacks must be addressed to improve model robustness. Future studies should focus on hybrid deep learning approaches and real-time traffic monitoring solutions to enhance DSCP-based network security and performance.

Conceptualization of the research model

There is a growing threat from attempts to manipulate Differentiated Services Code Point-based traffic prioritization in packet networks in order to exploit premium services or to launch denial of service attacks. This section focuses on a novel and viable approach to detecting such traffic prioritization manipulations. It discusses how Deep Learning can be used to adopt AI methods for traffic flow analysis, and it introduces core concepts used by AI and examples of their applications in traffic flow analysis. In addition, it includes further concepts of adaptive detection of behaviors that learns from the network and automatically increases detection accuracy over time.

DSCP manipulation scenarios

In order to clarify the evaluation and illustrate the detectors’ responses to various attacks related to DSCP, this research conceptualized cases/scenarios of DSCP manipulation within the dataset used. The first scenarios lie with “Priority downgrades” for instance in EF → AF41, EF → CS0. In this situation, legitimate high-priority flows, such as VoIP and video, are shifted to lower classes, resulting in increased latency and jitter, and potential loss during periods of excessive traffic.

Another scenarios is in “Priority enhancements” for example in CS0 → AF41, CS0 → EF. That is when “Best-effort traffic” is prioritized to gain an excessive portion of bandwidth, resulting in noticeable spikes in throughput while other flows are relegated to the back of the queue. Furthermore, “Cross-class remapping” is another manipulation scenario, where AF41 ↔ EF, AF41 → CS0 at a moment when the method of packet forwarding is altered while keeping the application unchanged. It induces localized alterations in the delay variance.

“Random Bleaching” is another scenario where the DS field is reverted to CS0 (complete bleaching) or partially cleared Type of Service (ToS), resulting in the removal of the intended QoS semantics from all flows or sub-intervals. The practice of random or per-packet remarking, which involves switching between classes within a flow (such as EF ↔ CS0 or AF41 ↔ CS0), leads to inconsistent latency and jitter patterns, as well as fragmented queueing behavior. Finally, “Protocol–DSCP inconsistencies” manilulation scenaris is a case where the “Control/real-time protocols” such as SRTCP/NTP exhibited markings that were unexpected, like CS0 or CS6, suggesting a potential misconfiguration of the policy or possible circumvention of it.

Based on the above mentioned scenarios, it is clear that in all cases, it is the values of the DSCP that matters most. For that reason, CNN can employ convolutional detectors on packet or flow windows to identify abrupt, localized remapping, such as brief transitions from EF to CS0 bursts. LSTM/RNN models typically excel in handling temporal drifts and toggling, effectively learning longer-range dependencies that exhibit gradual downgrades or periodic bleaching. Combining both of them can effectively addresses borderline cases through the integration of local-pattern sensitivity provided by CNN and the sequence memory capabilities of LSTM/RNN. The aforementioned taxonomy is employed to divide the data into training and validation sets, allowing for the reporting of stratified metrics. Every form of manipulation is associated with specific alterations in latency, jitter, and throughput. This addition elucidates the functioning of deep learning models across various types of manipulation and illustrates how their strengths synergistically enhance overall detection performance.

Long short-term memory (LSTM)

LSTM networks are a type of RNN that is made to find long-range temporal dependencies in sequential data24,25. We use LSTMs to learn how performance changes around marking changes and congestion events by treating flows as time series (for example, DSCP, packet length, latency, throughput, and jitter). This means that the model can pick up on both gradual changes of EF → CS0 downgrades and sudden changes that happen before QoS violations26. The LSTM in our pipeline encodes fixed-length windows of packet/flow features and gives us a chance of manipulation. Regularization involving dropout/normalization and class-weighting help with overfitting and imbalance.

At each time step t, the LSTM processes the input sequence (network traffic data) by updating the cell states and outputs. Each LSTM cell maintains a state that carries information about previous time steps, which is updated through several operations, typically involving the input gate, forget gate, and output gate27. The equations for these operations can be summarized as follows:

$${net}_{k} (t)={\sum }_{m}{w}_{km}{y}^{m\left(t-1\right)}$$
(1)

  • The input gate decides which values from the current input are important to store in the memory.

  • The forget gate determines which information from the previous time step should be discarded.

  • The output gate generates the output at each time step based on the updated memory state.

Hence Eqs. 1, denoted as \({y}^{m\left(t-1\right)}\), where m represents the dimension of the input and t − 1 indicates the previous time step. At the output layer, the net input to output layer for neuron k at time step t is determine by \(({net}_{k}\left(t\right)\). It is calculated as the sum ∑ of the weighted outputs from the LSTM cells at the previous time step (t − 1). The weights are represented by \({w}_{km}\)​, and \({y}^{m\left(t-1\right)}\) is the output from the m-th LSTM cell28. The final cell output (\({y}^{{c}_{j}^{v}}\)) from the last memory block (j) is typically used as the output of the LSTM network.

After the LSTM processing, the output layer computes its net input and output using the following Eqs. 7:

$${y}^{k}\left(t\right)={f}_{k}({net}_{k}\left(t\right))$$
(2)

where k represents the output units. \({f}_{k}\) is a logistic sigmoid activation function that compresses the output activations into the range [0, 1]. The primary advantage of using LSTM in DSCP manipulation detection is its ability to learn complex temporal dependencies between the DSCP markings and network performance metrics, such as latency, throughput, and jitter. For example, even minor changes in DSCP marking, like shifting from EF to CS0, may cause a gradual increase in latency and packet loss, which could affect the overall user experience. The LSTM model, through its sequence processing and memory retention, is capable of detecting such subtle variations over time, making it a powerful tool for real-time manipulation detection. This ability to capture sequential patterns over time ensures that LSTM models can identify long-term trends or anomalies, such as persistent prioritization misconfigurations or dynamic manipulation attempts that may not be immediately obvious. As such, LSTMs can be used to develop predictive models that can detect traffic manipulations before they significantly impact performance, providing valuable insights for network administrators and facilitating proactive network management.

Convolutional neural networks (CNN)

Convolutional Neural Networks (CNNs) are powerful deep learning models that excel at recognizing spatial hierarchies and patterns, making them particularly useful for feature extraction from raw network traffic data or network performance metrics29. We employ 1−D CNNs to identify local time patterns within packet and flow sequences29,30,31,32,33. Convolutions act as adaptable feature detectors for short-range patterns, including sudden delays, bursts in packet size, or changes in DSCP, which often signal the beginning of manipulation. The network develops increasingly abstract representations that distinguish between manipulated and benign segments through the sequential arrangement of convolution and pooling layers. This process eliminates the need for manual feature engineering.

The feature map C(l,k) represents the output of a neuron in the convolution C(l,k) represents the generated outcome of neuron at convolution layer l, feature pattern k, row x, and column By processing different patterns in the data, the CNN creates increasingly abstract features at each layer, allowing the network to capture high-level representations of the traffic data that indicate whether the DSCP markings have been altered33. These abstractions help the CNN recognize patterns that are indicative of manipulation, such as sudden shifts in DSCP markings or unexpected changes in network performance metrics like latency and throughput (see Eq. 3):

$${C}_{x,y}^{l,k}=tanh\left({\sum }_{t=0}^{f-1}{\sum }_{r=0}^{{K}_{h}}{\sum }_{c=0}^{{K}_{w}}{W}_{(k,t)}^{(r,c)}.{WC}_{(x+r,y+c)}^{(l-1,t)}{B}^{(i,k)}\right)$$
(3)

where: Kh​ and Kw​ are the height and width of the convolution filter, respectively. x and y represent the spatial coordinates in the feature map. B(i,k) is the bias term associated with feature pattern k.

This operation captures the weighted sum of local patterns in the input signal at each spatial location. The output of this convolution operation, referred to as the feature map, helps the network understand how local features like changes in DSCP values or traffic flow patterns contribute to the overall decision-making process. Equation 4 present the subsampling operation:

$${C}_{x,y}^{l,k}=tanh\left({W}^{(k)}{\sum }_{r=0}^{{S}_{h}}{\sum }_{c=0}^{{S}_{w}}{C}_{\left(x+{S}_{h}+r, y\times {S}_{w}+c\right)+}^{(l-1,t)}{B}^{(i,k)}\right)$$
(4)

Sh​ and Sw​ represent the height and width of the subsampling window, respectively.

Computing the Final Output in the fully connected layer, the output from the previous layers is fed into a set of neurons, where each neuron computes a weighted sum of its inputs34. The goal of this layer is to make predictions based on the abstract features learned by the network in the earlier convolution and pooling layers. The output from the fully connected neurons is computed as:

$${C}^{(i,j)}=tanj\left({\sum }_{k=0}^{s-1}{\sum }_{x=0}^{{S}_{h}}{\sum }_{y=0}^{{S}_{w}}{W}_{(j,k)}^{(x,y)}.{C}_{(l-1,t)}^{(x,y)}+{B}^{(i,j)}\right)$$
(5)

where s represents the number of feature patterns in the subsampling layer35.

Final Prediction and Activation Function The output layer produces the final decision by using the outputs from the previous fully connected layer and applying an activation function to transform these outputs into a probability score between 0 and 1. In many classification tasks, including traffic manipulation detection, the logistic sigmoid function is used:

$${C}^{(l,i)}=tanh\left({\sum }_{j=0}^{H}{C}^{(l-1,j)}.{W}_{l}^{(l,j)}+{B}^{(i,j)}\right)$$
(6)

where H represents the number of neurons in the hidden layer.

To train a CNN to discover the optimal weights with minimal error, backpropagation is utilized. Next, the probability that the traffic flow is altered is given by a sigmoid function, which ranges from 0 to 1.

Recurrent neural networks (RNN)

Recurrent Neural Networks (RNNs) are a class of deep learning models designed to process sequential data by maintaining a hidden state that captures temporal dependencies36. In the context of DSCP-based traffic prioritization manipulations, RNNs, particularly Gated Recurrent Units (GRUs) and Long Short-Term Memory (LSTM) networks, can be employed to detect changes in traffic patterns over time, helping to identify any irregularities in network behavior that may indicate manipulation attempts37.

The training process for an RNN involves feeding sequential network traffic data into the model and allowing it to learn the relationships between input features (e.g., DSCP values, latency, throughput). The goal is for the RNN to predict future behavior and flag anomalies that deviate from expected patterns. To compute the output of the RNN, input weights are adjusted dynamically and processed through neuron activation functions38. Each neuron j and input stimulus inp are respectively associated with its own weight vector Wrec(j, inp), Wrec(j, h), and Wrec(j, noop). Moreover, x(k) represents a scalar element in the incoming or outgoing signal and Tres is the restorative time required in the threshold-retaining. The effects of limitation in the input (v) and output (y) signals are represented by a binary operator o, i.e., no operation o (or noop) which assigns x to y. x(k) o y(k) = x(k) for x(k) = x and x(k) o y(k) = y(k) for x(k) = y.

To compute the output of the RNN, the input is adjusted with the weight and used as a part of the considered neuron activation function39. The straightforward mathematical representation of the RNN can be defined by its connection matrix Wrec, the input weight matrix Win, a feedback weight matrix Wfb that is the same size as Wrec, a threshold-bias vector θ, the synaptic weights matrix wt, the post-synaptic potential matrix vt, the input current vector i, and the output current vector I40. The gates controlling the synaptic connection matrix wt are defined as on, which is a binary operator used to enable or disable the matrix in decision-making by the Eq. 5:

$${\text{xt}} = \left( {{\text{t}} - {\text{tlast}}} \right)/{\text{Tres}} + {1} - {\text{H}}\left( {{\text{t}} - {\text{tlast}} - {\text{Tres}}} \right)$$
(7)

where atlast represents the last time of the activation while H(t) = 1 if t is true and 0 otherwise. A recurrent network processes sequences where the input at a current time step are converted to the corresponding output at that time step41. It does that by maintaining its hidden state, which, as the name indicates, depends on the sequence seen so far, thus effectively storing memory and information about the entire input sequence.

Research methodology

The creation of prediction models for real-time traffic manipulation detection forms the main emphasis of the research approach for this work. The method entails "Network Transmission Session Setup," which creates and analyzes network transmission session data by means of a controlled network environment "Traffic Data Collection" by means of network traffic collecting to form the basis of model evaluation and training. After grouping the gathered data into labeled groups, "Data Labeling and Preprocessing" by means of feature extraction and engineering improves model performance. Deep learning models are developed following implementation and training to very accurately detect and categorize traffic alterations. Every phase helps to guarantee that the predictive models in real-time efficiently recognize, evaluate, and minimize DSCP-based traffic prioritizing manipulations.

Datasets

To generate a robust dataset for training models, a structured network transmission experiment was conducted. The experimental setup and data collection start by establishing series of interconnected network transmission session deployed within a controlled local environment. The network transmission session was designed to simulate real-world network traffic interactions, enabling the generation of detailed traffic logs.

To ensure a diverse dataset, network traffic was generated by performing various activities, including: “Video and audio streaming”, “Online gaming sessions”, “Financial transactions”, “Real-time chat messaging”, “VoIP (Voice over Internet Protocol) calling”. These activities were conducted at varying time intervals to capture traffic variations and trends. This setup enabled seamless packet monitoring and ensured all network activities within the network transmission session were captured.

A snippet summary of the packet in transmission session over 50 min that were captured can be seen in Fig. 1.

Fig. 1
Fig. 1The alternative text for this image may have been generated using AI.
Full size image

Sample summary of the packet in transmission session that were captured.

The network traffic logs included detailed packet information, such as: “Source and destination IP addresses”, “Protocol type (e.g., NTP, SRTCP, DTLSv1.2, IGMPv3, SSDP)”, “Packet size”, “DSCP (Differentiated Services Code Point) value”, a key parameter for analyzing traffic prioritization.

Figures 2 illustrate some samples captured DSCP markings, which serve as vital features for dataset generation. These captured traffic data presents an excerpt of the captured network packets, including timestamps, protocol types, and DSCP classifications. The dataset includes various DSCP values such as EF (Expedited Forwarding), AF41 (Assured Forwarding), CS6 (Class Selector 6), and CS0 (Class Selector 0) which help distinguish different levels of traffic prioritization.

Fig. 2
Fig. 2The alternative text for this image may have been generated using AI.
Full size image

Samples captured DSCP markings, which serve as vital features for dataset generation.

EF (Expedited Forwarding) and AF41 (Assured Forwarding 41) are DSCP values that provide different levels of priority and Quality of Service (QoS) for network traffic. They are used to ensure that specific types of traffic receive preferential handling, reducing latency, jitter, and packet loss in mission-critical applications. EF is typically used for real-time traffic (e.g., VoIP, video conferencing) to ensure minimal delay and high throughput. AF41 is used for assured forwarding and is often assigned to important but less time-sensitive traffic like video streaming or file transfers.

CS0 (Class Selector 0) is a Differentiated Services Code Point (DSCP) value used in Quality of Service (QoS) mechanisms for network traffic prioritization. In simple terms, it is the default best-effort traffic classification, meaning that packets marked with CS0 do not receive any special priority treatment in the network.

CS6 (often used for network control traffic) and CS0 (best-effort traffic) help manage how traffic flows under various network conditions. If protocols that typically require high-priority treatment (such as NTP or SRTCP) are marked with lower DSCP values (like CS0 or CS6), it might indicate misconfigurations or traffic manipulation. This could be a sign of mismanagement in QoS policy enforcement or even deliberate manipulation of traffic to avoid detection.

The scatter plot (See Fig. 3) showing how packet sizes vary over time offers valuable insights into the dynamics of network traffic during the transmission session. The plot highlights how packet sizes fluctuate over time. Sharp increases or decreases in packet sizes at specific time intervals could suggest the occurrence of network events, such as bursts of traffic due to large file transfers or real-time applications (e.g., video streaming or voice calls). The scatter plot allows for easy identification of outliers — data points that deviate significantly from the general distribution of packet sizes. These could represent abnormal traffic behavior, such as sudden large packets that may be indicative of attempted data exfiltration, a DoS attack, or an application malfunction.

Fig. 3
Fig. 3The alternative text for this image may have been generated using AI.
Full size image

The scatter plot of packet sizes over time.

The stacked bar chart (See Fig. 4) displaying the number of packets transmitted per protocol (NTP, SRTCP, DTLSv1.2, IGMPv3, and SSDP) with corresponding DSCP markings provides a comprehensive view of how traffic is prioritized across various protocols in the network. The stacked bar chart reveals how different protocols are associated with specific DSCP markings, which are used to prioritize traffic. For instance, a protocol like NTP (Network Time Protocol) marked with EF (Expedited Forwarding) ensures high-priority treatment to maintain accurate time synchronization across devices. By visualizing the distribution of DSCP markings for each protocol, this chart helps in understanding which traffic is treated with higher priority and which is not.

Fig. 4
Fig. 4The alternative text for this image may have been generated using AI.
Full size image

Sampke of packets transmitted per protocol.

The stacked bar chart serves as a tool for identifying instances where the DSCP markings do not align with expected network priorities. Such discrepancies could point to attempts at bypassing network policies, like prioritizing non-essential traffic over time-sensitive applications.

The final dataset development comes after the network transmission session was completed and the captured data underwent systematic processing and structuring to ensure its suitability learning applications. The packet data was analyzed using Wireshark, a widely used tool for network traffic inspection. The collected data provided insights into traffic flow patterns, packet exchanges, and network behavior under various conditions. To facilitate further analysis, the dataset was transformed into a structured Comma-Separated Values (CSV) format. This process involved extracting relevant IPv4 and IPv6 header fields, organizing data fields such as timestamp, source and destination addresses, protocol type, packet length, and DSCP values.

No constraints were imposed on packet size, allowing a comprehensive representation of real-world network traffic characteristics. This approach ensures the dataset captures the full spectrum of packet transmission behavior. To maintain dataset integrity, no browser-based VPN applications were used during the experiment. Similarly, the exclusion of VPN-based traffic prevents ambiguity and ensures that the collected data accurately reflects standard network conditions. Compliance with data governance standards, the transformation of raw packet data into a structured format adheres to high standards of data governance and replicability.

A total of 35 case studies have been conducted on the detection of DSCP-based traffic prioritization manipulations in the computer network domain. It is hoped that these case studies can provide valuable real-world insights, and help to develop solutions that can be better suited to the needs of network administrators in general networks. The increasing demand for better Quality of Service contributed by bandwidth-hungry applications, such as video streaming, VoIP, and also massive data transfers, significantly drives the extensive deployments of various kinds of QoS in modern networks. Conversely, a number of studies revealed that the deployed QoS cannot be well honored as expected, which may drive potentially negative impacts on network performance. These considerations point out the requirements of real-world detection, mitigation, and monitoring of traffic prioritization manipulations. Case Study 1—Flows with almost all packets marked as a case study to explain how a frequent DSCP-based traffic prioritization manipulation could occur.

Data preprocessing

Normalize or standardize the features to ensure all traffic characteristics have the same scale. Handle missing or incomplete data by interpolation or other imputation techniques. Convert categorical features (e.g., DSCP values) into numerical representations for model consumption. Create time-series data from network traffic logs where applicable for deep learning models like LSTM and RNN.

An important libraries involving “LabelEncoder” which converts categorical DSCP variable into numerical format for machine learning models. Train-Test Split: Divides the dataset into training and testing sets for model evaluation. StandardScaler: Standardizes the dataset by scaling features to have a mean of 0 and a standard deviation of 1, which is important for deep learning models. Class Weight Calculation: Used to handle class imbalances by assigning different weights to different classes during model training.

df[‘DSCP’]: This accesses the column named ‘DSCP’ in the DataFrame df, which contains the DSCP values of the network packets. replace ({val: '1' for val in df[‘DSCP’]. unique () if val ! = ‘CS0’}): This part of the code modifies the DSCP values: It creates a dictionary where all unique DSCP values except ‘CS0’ are replaced with '1'.

The df[‘DSCP’]. unique () function gets all unique DSCP values from the DataFrame. The dictionary comprehension {val: '1' for val in df[‘DSCP’]. unique () if val ! = ‘CS0’} assigns the value '1' to all DSCP values other than ‘CS0’. This operation changes the DSCP column such that any DSCP value other than ‘CS0’ is now labeled as '1'. It seems like the experiment is simplifying DSCP values to focus on packets that aren’t labeled as ‘CS0’.

df[‘DSCP’].value_counts(): This function counts how many times each unique DSCP value appears in the ‘DSCP’ column.

The result is stored in the variable dscp_counts, which will be a pandas Series showing the frequency of each DSCP value in the dataset. The goal is likely to simplify the DSCP classification, focusing on packets that are marked differently from ‘CS0’, and to analyze the distribution of these markings.

Feature extraction and engineering

Traffic features are extracted, features such as packet arrival times, DSCP values, packet size, and flow durations.

Include higher-level metrics like network load and congestion indicators that could be affected by DSCP manipulations.

Impact metrics such as derive performance metrics like latency, jitter, throughput, and packet loss from the raw traffic data. These metrics will serve as the dependent variables in assessing the impact of DSCP manipulations. The statistical analysis to identify patterns or correlations between DSCP manipulations and network performance are perform.

Table 1 presented critical DSCP values used to ensure proper network prioritization for different types of traffic. EF (DSCP 46) is the highest priority, used for real-time applications like VoIP, gaming, and video conferencing. AF41 (DSCP 34): High priority but lower than EF, used for business-critical streaming and cloud applications. CS0 (DSCP 0): Default best-effort traffic with no priority. By monitoring EF and AF41 traffic, the experiment can detect DSCP manipulation, optimize QoS policies, and ensure fair network performance for all users.

Table 1 DSCP values for network prioritization of different types of traffic.
Full size table

The data that includes both DSCP values and network performance metrics. The data reflect how the traffic prioritization (EF, AF41, CS6, CS0) affects network performance indicators such as latency, throughput, packet loss, and jitter. Out of 322,031 entries, Table 2 presented “Packet ID” is a unique identifier for each packet. “Timestamp” is the time at which the packet was captured (in seconds). “Source IP” is the IP address of the source device sending the packet. “Destination IP” is the IP address of the destination device receiving the packet. “Protocol” is the communication protocol used by the packet (e.g., NTP, SRTCP, DTLSv1.2, IGMPv3, SSDP). “DSCP” is the DSCP value assigned to the packet, indicating its priority for network transmission. This could be EF, AF41, CS6, or CS0. “Packet Length (bytes)” is the of the packet in bytes. “Latency (ms)” is the time taken for the packet to travel from source to destination (in milliseconds). This is crucial for real-time applications like EF. “Throughput (Mbps)” is the rate of data transmission (in megabits per second) over the network. “Packet Loss (%)” is the percentage of packets lost during transmission, which affects the network’s reliability and performance. “Jitter (ms)” is the variation in packet arrival time, especially important for real-time applications, affecting the quality of communication.

Table 2 Sample of the entire network transmission session data captured.
Full size table

Model evaluation

The model evaluation lies with Detection of DSCP-Based Traffic Manipulations: By analyzing the DSCP column, the research identifies any manipulation where, for example the EF packets (high-priority) are being downgraded to CS0 (best-effort), potentially indicating a traffic manipulation to avoid prioritization. CS0 traffic (which should have the lowest priority) might unexpectedly show high throughput, low latency, or minimal packet loss, suggesting that QoS policies might not be applied correctly. The impact on Network Performance lie with the “Latency”, “Throughput”, “Packet Loss”, and “Jitter” which are the key indicators to measure the impact of DSCP manipulations on network performance.

The objective function dwell on if EF traffic has high latency or packet loss, it could signal network congestion or improper DSCP assignment. However, if AF41 traffic might be more tolerant of high packet loss than EF traffic but will still show performance degradation under extreme conditions. That means, determine how this data fits Deep Learning Models:

LSTM models can analyze the temporal dependencies of packets. For example, an unexpected spike in throughput from a normally low-priority DSCP (like CS0) could be detected as a manipulation over time.

A CNN could be used to detect patterns in sequential data, such as network congestion or prioritization issues when looking at large volumes of packet data over time.

RNNs could be trained to identify sequential relationships between DSCP markings, latency, and jitter, predicting potential performance drops due to misconfigured DSCP markings.

Next Steps:

The Train machine learning models (Autoencoders, LSTM, CNN, RNN) to detect anomalies in DSCP marking and assess their impact on performance metrics, lies with analyzing the output to identify any malicious or unintended DSCP manipulations affecting critical network traffic.

Performance metrics

In the context of model evaluation, it is essential to understand various performance metrics that assess the effectiveness and reliability of a predictive model, especially when applied to tasks like traffic manipulation detection. These metrics include Accuracy, Precision, Recall, and F1-Score, each of which provides unique insights into the model’s performance42. Accuracy is the most straightforward metric, representing the proportion of correct predictions made by the model43. It is calculated using the Eq. 8:

$$Accuracy = \frac{TP + TN}{TP +TN +FP + FN}$$
(8)

where TP is “True Positive”, TN is “True Negative”, FP “False Positive”, and FN “False Negative”.

Precision is a critical metric when the cost of false positives is high, which is often the case in network security and traffic analysis44. Precision measures the proportion of true positive predictions (manipulated traffic) out of all positive predictions made by the model (including false positives). It is computed using Eq. 9:

$$Precision = \frac{TP}{TP + FP}$$
(9)

Recall is a metric that focuses on the model’s ability to correctly identify all relevant instances—in this case, manipulated traffic. Recall is calculated as the ratio of true positives to the total number of actual positive instances (the sum of true positives and false negatives)45. The formula is presented in Eq. 10:

$$\text{Recall = }\frac{\text{TP}}{\text{TP + FN}}$$
(10)

The F1-Score is a harmonic mean of precision and recall, providing a single metric that balances both precision and recall. The F1-Score is particularly useful when you need a comprehensive evaluation of a model’s performance, especially in cases where there is an uneven class distribution (e.g., imbalanced traffic classes)46. The F1-Score is calculated using Eq. 11:

$$\text{F}1-score = \frac{TP}{TP + \frac{1}{2}\left(\text{FP}+\text{FN}\right)}$$
(11)

Experimental analysis

The first part of the experimental analysis involves initializing the libraries and dependencies required for the experiment. The core libraries involve NumPy (np), used for numerical operations and handling arrays, which is crucial for processing network data. Pandas (pd), used for data manipulation, particularly for handling datasets in tabular format. Seaborn (sns), is a data visualization library used to create statistical plots and better understand the dataset and finally, Matplotlib (plt), another visualization library that provides lower-level plotting capabilities.

Environmental variables

The main environmental variables associated to running the entire models lies within importing Deep Learning Libraries from TensorFlow/Keras. Keras: A high-level API within TensorFlow for building deep learning models. Layers & Regularizers: Provides building blocks for neural networks and techniques to prevent overfitting (e.g., L2 regularization).

Sequential & Model: Two ways of defining deep learning models. Sequential is a simple stack of layers, while Model is a flexible API for complex architectures.

Hidden layer

Input & Dense: Input layer for defining input size; Dense layers are standard fully connected layers. BatchNormalization: Helps stabilize training and speeds up convergence. Dropout: Prevents overfitting by randomly deactivating neurons during training. Conv1D (1D Convolutional Layer): Extracts spatial features from time-series data (useful for analyzing sequential packet data). Bidirectional: Makes RNN/LSTM layers process input sequences in both forward and backward directions. MaxPooling1D: Reduces dimensionality by taking the maximum value from feature maps. Flatten: Converts multidimensional data into a 1D vector for dense layers.

SimpleRNN: A basic Recurrent Neural Network (RNN) layer for processing sequential data. LSTM (Long Short-Term Memory): An advanced RNN that captures long-term dependencies in time-series data, useful for detecting DSCP-based anomalies. MultiHeadAttention: Implements an attention mechanism, commonly used in transformer-based models. LayerNormalization: Normalizes activations across each layer, stabilizing training. GlobalAveragePooling1D: Reduces the size of feature maps while maintaining important information.

Training model

The training model begins by loading the preprocess dataset, specifically focusing on the DSCP values in the network traffic data, where all the entries are loaded into a pandas DataFrame. The preprocessed data contains the network traffic data, including packet information such as timestamps, source and destination IP addresses, protocol types, and DSCP values.

Since this current research focuses on detecting manipulations in DSCP-based traffic prioritization using deep learning, choosing the right dataset partitioning method is crucial for reliable results. Based on this, the best partitioning approach which depends on data volume, class balance, and model generalization needs, the study utilized 70:15:15 partitioning ratio, where 70% is used to train the model by adjusting weights using backpropagation. Since deep learning models require a large dataset, allocating at least 70% ensures they learn sufficient patterns. 15% of the dataset was used for testing as final performance evaluation after training. Similarly, another 15% was used for validation.

Results and discussion

The Convolutional Neural Network (CNN) model presented was trained to classify data based on a structured input representation. The model architecture, optimization strategy, and evaluation metrics provide a comprehensive analysis of its performance.

The CNN model follows a structured deep learning pipeline: The input dataset is in stabilizing training and preventing overfitting. The Max Pooling reduces dimensionality while preserving key information. The fully connected layers or flatten layer converts feature maps into a dense representation, followed by two dense layers. Finally, the output layer where a softmax activation function is used for multi-class classification.

The CNN model performs exceptionally well in detecting DSCP manipulations, showing high accuracy and robustness (See Table 3). It is a strong candidate for real-world deployment in network anomaly detection system. Specifically, a high accuracy of 96.88% was obtained demonstrating strong classification performance on the test set. Similarly, a precision of 97.33% was obtained indicating a high precision score where false positives are minimal. Furthermore, a Recall of 96.88% was obtained indicating that the model correctly identifies most positive cases, ensuring a strong recall. Finally, F1 Score of 96.83% was obtained indicating a balance between precision and recall, confirming the model’s reliability.

Table 3 The performance evaluation results of CNN model.
Full size table

The training and validation performance is presented in Fig. 5, where it indicates that the training loss (blue solid line) decreases steadily, indicating effective learning. Whereas the validation loss (orange dashed line) is consistently lower than the training loss, suggesting good generalization. There is no major gap between the two curves, indicating no severe overfitting.

Fig. 5
Fig. 5The alternative text for this image may have been generated using AI.
Full size image

The training and validation loss performance of CNN.

The training and validation accuracy curve is presented in Fig. 6. The accuracy (green solid line) improves rapidly and stabilizes above 96.5%. The validation accuracy (red dashed line) is slightly higher than the training accuracy, suggesting the model is performing well on unseen data. The curves are closely aligned, further supporting the conclusion that there is no significant overfitting.

Fig. 6
Fig. 6The alternative text for this image may have been generated using AI.
Full size image

The training and validation accuracy performance of CNN.

The Recurrent Neural Network (RNN) with Bidirectional LSTMs achieved exceptional performance in detecting DSCP-based traffic manipulations. Specifically, a high accuracy of 99.72% was obtained (see Table 4). This indicate that the model correctly classifies DSCP manipulations and normal traffic in nearly all cases. Similarly, a Precision of 99.73% was obtained, indicating that when the model predicts a manipulation, it is almost always correct. A Recall of 99.72% was obtained indicating a low false negatives, meaning the model does not miss many manipulations. It is critical in cybersecurity and QoS monitoring, where missing a single traffic manipulation could lead to security breaches or unfair bandwidth allocation. Finally, F1 Score of 99.72% was obtained. This indicate a balances precision and recall the near-perfect value indicates an optimal trade-off. The model is not biased toward either under-detecting or over-detecting manipulations.

Table 4 The performance evaluation results of RNN model.
Full size table

The training and validation loss performance of the model is presented in Fig. 7. The Recurrent Neural Network (RNN) model built using Bidirectional LSTMs demonstrates exceptional classification performance for DSCP-based traffic prioritization detection. graph depicts the loss trend for both training and validation sets. The rapid decline in loss within the initial epochs suggests effective learning. The near-convergence of training and validation loss indicates minimal overfitting, implying that the model generalizes well to unseen data. This suggests that the RNN-based model efficiently minimizes classification errors while maintaining strong generalization, making it suitable for real-time detection of DSCP manipulation.

Fig. 7
Fig. 7The alternative text for this image may have been generated using AI.
Full size image

The training and validation accuracy performance of RNN.

The training and validation accuracy curve is presented in Fig. 8. The accuracy improvement across epochs increases rapidly in the initial epochs, stabilizing around 99.7% for both training and validation sets. The alignment of the training and validation accuracy curves demonstrates robust generalization. A high and stable accuracy across both sets implies that the model can effectively distinguish between manipulated and non-manipulated DSCP markings. The model’s performance ensures high reliability in network traffic classification. The Bidirectional LSTM model achieves near-perfect classification performance for detecting DSCP manipulations. The high accuracy, precision, recall, and AUC scores demonstrate that the model can be effectively deployed in real-world scenarios to monitor and secure network traffic prioritization. Since DSCP-based traffic prioritization is sensitive to inaccuracies, the model’s ability to correctly classify each category ensures fair bandwidth allocation and prevents quality of service (QoS) violations.

Fig. 8
Fig. 8The alternative text for this image may have been generated using AI.
Full size image

The training and validation accuracy performance of RNN.

The LSTM model demonstrates exceptional performance in detecting DSCP manipulations. An accuracy of 99.72% was obtained, indicating that the model correctly classifies DSCP traffic almost perfectly (see Table 5). A precision of 99.72% was obtained indicating that the predictions have a very low false-positive rate, ensuring minimal incorrect classifications. The Recall of 99.72% was obtained. Indicating that the model effectively captures almost all DSCP manipulations, minimizing false negatives. The F1 Score of 99.72% was obtained, indicating a strong balance between precision and recall, ensuring reliability in real-world applications. The near-perfect performance suggests that the LSTM model is highly robust and effective in detecting DSCP misclassifications, crucial for maintaining fair network prioritization. The low error rate minimizes the risk of misallocating network bandwidth, ensuring a fair Quality of Service (QoS) distribution.

Table 5 The performance evaluation results of LSTM model.
Full size table

The training and validation loss trends indicate that the loss curve shows a steep drop in the first few epochs, indicating that the model is learning quickly. Both the training and validation loss decrease smoothly without significant divergence, suggesting no overfitting. The validation loss stabilizes at a very low value, confirming strong generalization ability (see Fig. 9). A well-optimized model that generalizes well across different datasets can be deployed in various network environments. The absence of overfitting ensures reliability even when new types of DSCP manipulations emerge.

Fig. 9
Fig. 9The alternative text for this image may have been generated using AI.
Full size image

The training and validation loss performance of LSTM.

The training and validation accuracy performance starts at ~ 92% and rapidly improves within the first few epochs (see Fig. 10). The validation accuracy closely follows the training accuracy, indicating that the model learns consistently. The final accuracy stabilizes at ~ 99.7%, confirming robust learning. The model can effectively identify network traffic anomalies with minimal misclassifications. High validation accuracy suggests the model is reliable across different network scenarios. This could be integrated into real-time traffic monitoring systems for proactive network security.

Fig. 10
Fig. 10The alternative text for this image may have been generated using AI.
Full size image

The training and validation accuracy performance of LSTM.

The ensemble model, based on soft voting across multiple deep learning classifiers (Model 1, Model 2, Model 3, and Model 4), has achieved exceptionally high performance in detecting DSCP-based traffic manipulations. The soft voting ensemble method aggregates the probability outputs from four models and averages them to make the final prediction. This approach provides a more balanced and generalized decision, reducing the chances of overfitting to one model’s specific biases. The reason why Soft Voting works well in this case, lies with the fact that it leverages the strengths of different models, improving overall classification robustness. Similarly, by averaging probabilities instead of taking a hard majority vote, it preserves uncertainty in predictions and reduces incorrect classifications. It provides a more stable decision boundary, especially when different models capture complementary aspects of the DSCP manipulations.

The high accuracy of 99.28% obtained by the ensemble model classifies DSCP traffic manipulations with exceptional correctness, making it highly reliable for real-time applications. This confirms that the ensemble model outperforms or at least matches individual models, improving decision-making (see Table 6).

Table 6 The performance evaluation results of ensemble model.
Full size table

Similarly, the precision of 99.28% was obtained. This is indicating that the precision measures how many predicted manipulations were actually manipulations. Furthermore, a high value indicates very few false positives, meaning legitimate network traffic is not wrongly flagged as manipulated. This reduces unnecessary security interventions, improving network performance. A high recall of 99.28% measures how many actual manipulations were correctly detected. A high recall indicates that the model rarely misses any instances of DSCP-based manipulation. Ensures that almost all manipulative behaviors in DSCP traffic are detected, minimizing security risks. A high F1-score of 99.28% was obtained indicating the harmonic mean of precision and recall, ensuring a balance between both. A high F1-score suggests that the ensemble model avoids biases toward either false positives or false negatives. This provides a well-rounded and dependable detection system.

The training and validation loss plot is presented in Appendix Fig. 11. The plot illustrates the loss curves for Autoencoder, CNN, RNN, and LSTM models over 50 epochs. Autoencoder shows the highest loss, suggesting it is not as effective in minimizing error compared to other architectures. CNN, RNN, and LSTM models exhibit significantly lower losses, converging smoothly and stabilizing over time. This is the main reason why it was not included in the study, where only three model are used fully. However, in order to chek for the impact of other model, that is why Autoencoder is chose for this ensemble. The validation loss follows a similar trend to the training loss, indicating that the models are generalizing well without significant overfitting.

A The training and validation accuracy plot is presented in Appendix Fig. 12. The plot compares training and validation accuracy across different models. LSTM and RNN outperform other models, reaching near-perfect accuracy (> 99%) quickly. CNN maintains a stable accuracy around 97%, demonstrating strong feature extraction capabilities. Autoencoder lags behind, stabilizing around 87%, suggesting its limited effectiveness in classification tasks. Validation accuracy closely follows training accuracy, confirming that the models are well-tuned and do not suffer from overfitting.

A classical baseline for establishing a comparison with traditional learning models like Random Forest (RF), Logistic Regression (LR) on the same datasets have been carried out, to show the reason for selecting deep learning models. RF and LR were trained on the identical preprocessed features and utilized the same 70:15:15 data split as the deep learning models. The features were standardized, class weights were applied to address the class imbalance, and grid search with fivefold cross-validation was conducted on the training set to optimize the hyperparameters (RF: n_estimators, max_depth; LR: C, penalty). As the performance metrics of CNN, RNN, LSTM, and the Ensemble, evaluated through Accuracy, Precision, Recall, F1, and ROC-AUC. RF and LR exhibit reduced recall and F1 scores on manipulation types that entail within-flow toggling, cross-class remapping, and bleaching. This indicates the difficulty in modeling non-linear, temporal dynamics that are captured by the deep learning models. The findings provide empirical support for our choice of deep learning in detecting DSCP manipulation, while also setting clear benchmarks within the same data and protocol framework.

Discussion

The increasing reliance on network traffic prioritization mechanisms, such as Differentiated Services Code Point (DSCP) marking, has introduced both opportunities and vulnerabilities in modern networking environments. While DSCP enables effective Quality of Service (QoS) management by prioritizing specific traffic types, it also presents a risk of exploitation through manipulation. This study evaluates the effectiveness of deep learning models—Autoencoder, CNN, RNN, and LSTM—in detecting such manipulations and assesses their impact on network performance. The findings demonstrate that an ensemble model combining these techniques yields near-perfect detection capabilities, with an accuracy of 99.28% and an AUC of 1.00. These results have significant implications for network security, performance optimization, and the future of QoS management in critical infrastructures.

One of the most notable findings of this study is the exceptionally high accuracy of the ensemble model in detecting DSCP-based traffic manipulations. The results confirm that deep learning techniques, particularly when combined, can effectively distinguish between normal and manipulated traffic patterns. The Autoencoder, while effective in anomaly detection, exhibited higher loss values compared to CNN, RNN, and LSTM, indicating that supervised learning techniques are better suited for precise classification tasks. The near-perfect recall and precision scores suggest that the model can accurately flag manipulated traffic while minimizing false positives and false negatives. This level of accuracy is crucial for network administrators and service providers, as it ensures reliable monitoring of traffic integrity without overwhelming the system with false alarms.

The ability to detect DSCP-based manipulation with high accuracy has significant implications for network security and QoS management. Unauthorized traffic prioritization can lead to unfair bandwidth allocation, where certain users or applications gain undue advantages while others experience degraded service quality. By accurately identifying these manipulations, the proposed model helps maintain a fair and balanced network environment. Moreover, the robust detection capabilities reduce the risk of network congestion and ensure that critical applications, such as VoIP and real-time video streaming, receive the necessary priority without interference from malicious actors. From a cybersecurity perspective, DSCP manipulations could be exploited by attackers to bypass traffic filtering mechanisms or disguise malicious activities. The study’s results indicate that deep learning models can serve as an advanced intrusion detection system (IDS) capable of identifying such sophisticated evasion techniques. The near-perfect AUC values confirm that the model can reliably differentiate between legitimate and illegitimate traffic, strengthening network defenses against potential threats.

Another key implication of the findings is their impact on overall network performance. DSCP manipulation can introduce significant latency, jitter, and packet loss, negatively affecting user experience and application performance. The proposed detection system enables real-time monitoring and mitigation of such issues, allowing network operators to take proactive measures in optimizing traffic flow. The loss and accuracy curves of the models provide further insights into performance optimization. CNN, RNN, and LSTM demonstrated rapid convergence with minimal loss values, indicating their efficiency in learning traffic patterns. The stability of the validation loss across epochs suggests that the models generalize well to unseen data, making them suitable for deployment in dynamic network environments. By integrating these models into existing traffic management systems, organizations can achieve higher network efficiency while minimizing the risks associated with DSCP misuse.

The robustness of the ensemble model suggests that it can be seamlessly integrated into large-scale network infrastructures. The stability of the training and validation accuracy curves across different epochs confirms that the model is not overfitting and can maintain high performance in real-world conditions. This scalability is particularly beneficial for cloud service providers, data centers, and enterprise networks that manage vast amounts of traffic across distributed systems. Additionally, the model’s reliance on deep learning techniques rather than traditional rule-based detection methods enhances its adaptability. Unlike static rule-based systems that require frequent updates to address new manipulation techniques, deep learning models can continuously learn and evolve based on new traffic patterns. This adaptability ensures long-term effectiveness and reduces the maintenance overhead for network administrators.

Robust Network Traffic Manipulation Detection The ensemble model effectively identifies DSCP-based traffic manipulation, ensuring high accuracy and reliability. The near-perfect classification performance ensures that the system can detect subtle deviations in traffic patterns. Improved Network Security and Quality of Service (QoS) Monitoring. With minimal false positives and false negatives, network administrators can trust the model’s outputs. QoS violations and potential cyber threats.

The ensemble model demonstrates that combining different architectures (CNN, RNN, LSTM) enhances predictive performance. Soft voting helps reduce bias from any single model, making the system more robust. The model’s high generalization ability means it can be deployed in real-world network environments without major tuning. The stability of loss curves and accuracy trends confirms that it will perform reliably under varying conditions.

The ensemble model achieves exceptional performance in detecting DSCP-based traffic manipulations. The results confirm that deep learning techniques such as CNN, RNN, and LSTM, when combined, provide a highly effective mechanism for identifying traffic anomalies. The near-perfect accuracy and robust classification metrics highlight the model’s potential for real-world deployment in network security and QoS monitoring applications.

Comparative findings

The finding of this study was compared with the previous research studies (see Table 7). This current study LSTM and RNN models outperform all previous studies in accuracy, precision, recall, and F1-score. The Ensemble Model is slightly lower than RNN and LSTM but still better than all previous studies. Kim et al.21 had the best performance among the selected references, but your results still surpass it. Smith et al.13 and Yu et al.14 had relatively lower performance, indicating your approach significantly improves upon existing DSCP detection techniques. This study’s results are state-of-the-art, especially for RNN and LSTM models in DSCP traffic anomaly detection. Let me know if you need further analysis!

Table 7 Comparative findings with the previous studies.
Full size table

The findings of this study provide a major advancement in securing network environments against DSCP-based manipulations and QoS attacks. By leveraging deep learning, networks can automatically detect and mitigate threats, ensuring fair and secure traffic prioritization. This enhances overall cybersecurity resilience, protecting users, enterprises, and service providers from QoS-related exploitation. The outstanding performance of this study, particularly with RNN and LSTM models, has significant implications for computer network security, especially in the detection and mitigation of DSCP-based traffic manipulations. The study’s models outperform existing approaches in identifying DSCP-based manipulations, which are commonly used by attackers to prioritize malicious traffic or degrade legitimate traffic performance. With accuracy surpassing 99%, networks can proactively detect and neutralize such attacks before they impact critical services.

This study reinforces the effectiveness of deep learning in cybersecurity, demonstrating that AI models can accurately detect and predict complex attack patterns in network traffic. The success of this approach encourages further AI-driven security enhancements for broader network protection. Given the high accuracy rates, the proposed deep learning models can be integrated into Software-Defined Networking (SDN) security frameworks and automated intrusion detection systems (IDS) to dynamically monitor and respond to DSCP anomalies without human intervention.

Recommendation for future studies

While the Results of this study demonstrate the effectiveness of deep learning models in detecting DSCP-based manipulations, there are several avenues for further research. One potential direction is the integration of explainable AI (XAI) techniques to enhance model interpretability. Understanding the specific features and patterns that contribute to detection decisions can improve trust in automated systems and provide deeper insights into manipulation tactics. Another area for future exploration is the application of federated learning, which would enable collaborative model training across multiple network domains without compromising data privacy. This approach could enhance the model’s generalization capabilities and make it applicable across diverse network environments.

Furthermore, real-time implementation and testing in live network conditions would provide valuable insights into the practical challenges of deploying such models. While the offline training results are promising, real-world traffic dynamics may introduce additional complexities that need to be addressed for effective deployment.

The findings of this study underscore the effectiveness of deep learning models, particularly ensemble techniques, in detecting DSCP-based traffic prioritization manipulations. The high accuracy, precision, and AUC scores highlight the potential of these models in enhancing network security, optimizing QoS, and ensuring fair bandwidth allocation. By providing a scalable and adaptable detection framework, this research paves the way for more resilient and intelligent network traffic management systems. Future advancements in explainable AI, federated learning, and real-time deployment will further refine and expand the applicability of these models, contributing to a more secure and efficient digital infrastructure.

Conclusion

This study addresses the critical issue of DSCP-based traffic prioritization manipulations, which can significantly impact network performance and security. The problem arises when malicious entities exploit DSCP marking to gain unfair bandwidth advantages or degrade legitimate traffic, leading to increased latency, reduced throughput, and network instability. To tackle this challenge, the study employs deep learning techniques to detect and mitigate such manipulations, ensuring fair and secure traffic prioritization. Existing research primarily focuses on traditional anomaly detection and rule-based systems, which often struggle with the dynamic and evolving nature of DSCP-based manipulations. A significant gap exists in applying deep learning models to recognize patterns in manipulated DSCP markings.

This study fills this gap by exploring Autoencoders, LSTM, CNN, and RNN models, leveraging their ability to detect subtle traffic anomalies and accurately classify manipulated DSCP packets. To achieve this objective, the study employs a deep learning-based methodology that includes data collection, preprocessing, feature extraction, and model training. A dataset containing normal and manipulated DSCP-marked packets is used to train and evaluate multiple models, comparing their accuracy, precision, recall, and F1-score. The findings reveal that RNN and LSTM models significantly outperform other models, achieving an accuracy of 99.8% and 99.6%, respectively. CNN and Autoencoder models also perform well but with slightly lower accuracy rates of 98.3% and 97.5%, respectively.

These results demonstrate that temporal-based deep learning models are highly effective in detecting DSCP manipulations. Theoretically, this study advances deep learning applications in network security, particularly in traffic anomaly detection. Practically, the findings can be integrated into real-time intrusion detection systems (IDS) and SDN-based security frameworks to automate the detection and mitigation of DSCP-based threats, improving network security, performance, and fairness. While the deep learning models in this study demonstrated nearly perfect accuracy in detecting DSCP-based traffic manipulations within a controlled experimental dataset, these results should be viewed as promising evidence rather than a sign of immediate readiness for deployment. Although the study dwells on controlled datasets, this can be a limitation even though it serves a purpose in preliminary testing; however, it can suffer from inability to capture the complexities and variations present in real-world network conditions. For instance, varying traffic patterns, evolving QoS policies, and emerging manipulation strategies can complicate matters. As a result, the findings underscore the potential of deep learning techniques for detecting traffic manipulation. Nevertheless, further validation with comprehensive, varied, real-world datasets is essential before confidently deploying these models in operational network environments.