To address the growing scalability and interpretability challenges in DDoS attack detection amid increasingly frequent and sophisticated attacks, this paper proposes an automated, interpretable detection framework. Methodologically, it integrates TPOT (Tree-based Pipeline Optimization Tool) to automate end-to-end machine learning pipeline optimization and employs SHAP (SHapley Additive exPlanations) for both model-level and feature-level attribution explanations. Additionally, it incorporates discriminative traffic features—such as mean backward packet length and minimum forward packet header length—to enhance detection sensitivity. Experimental results demonstrate that the framework achieves high detection accuracy while significantly improving decision transparency and attack attribution traceability. It thus establishes a novel paradigm that jointly delivers strong performance and human-understandable insights, enabling effective real-time response and security analysis.

With the increasing frequency and sophistication of Distributed Denial of Service (DDoS) attacks, it has become critical to develop more efficient and interpretable detection methods. Traditional detection systems often struggle with scalability and transparency, hindering real-time response and understanding of attack vectors. This paper presents an automated framework for detecting and interpreting DDoS attacks using machine learning (ML). The proposed method leverages the Tree-based Pipeline Optimization Tool (TPOT) to automate the selection and optimization of ML models and features, reducing the need for manual experimentation. SHapley Additive exPlanations (SHAP) is incorporated to enhance model interpretability, providing detailed insights into the contribution of individual features to the detection process. By combining TPOT's automated pipeline selection with SHAP interpretability, this approach improves the accuracy and transparency of DDoS detection. Experimental results demonstrate that key features such as mean backward packet length and minimum forward packet header length are critical in detecting DDoS attacks, offering a scalable and explainable cybersecurity solution.