A novel data-driven integrated detection method for network intrusion classification based on multi-feature imbalanced data

Abstract

The multi-feature and imbalanced nature of network data has always been a challenge to be overcome in the field of network intrusion detection. The redundant features in data could reduce the overall quality of network data and the accuracy of detection models, because imbalance could lead to a decrease in the detection rate for minority classes. To improve the detection accuracy for imbalanced intrusion data, we develop a data-driven integrated detection method, which utilizes Recursive Feature Elimination (RFE) for feature selection, and screens out features that are conducive to model recognition for improving the overall quality of data analysis. In this work, we also apply the Adaptive Synthetic Sampling (ADASYN) method to generate the input data close to the original dataset, which aims to eliminate the data imbalance in the studied intrusion detection model. Besides, a novel VGG-ResNet classification algorithm is also proposed via integrating the convolutional block with the output feature map size of 128 from the Visual Geometry Group 16 (VGG16) of the deep learning algorithm and the residual block with output feature map size of 256 from the Residual Network 18 (ResNet18). Based on the numerical results conducted on the well-known NSL-KDD dataset and UNSW-NB15 dataset, it illustrates that our method can achieve the accuracy rates of 86.31% and 82.56% in those two test datasets, respectively. Moreover, it can be found that the present algorithm can achieve a better accuracy and performance in the experiments of comparing our method with several existing algorithms proposed in the recent three years.

Keywords

Artificial Intelligence Classification Algorithms Deep Learning Algorithms Network Intrusion Detection Multi-class Pattern Classification

1 Introduction

At present, accelerating the deployment of 5G networks has become a strategic consensus in the international community [1]. The network has become a tool for social productivity in the 5G era, but along with the rapid development of the Internet, it also faces a large number of network vulnerabilities and virtual attacks [2]. Maintaining network security has become difficult due to the increasing threat of cyber attacks and the sophistication of attack methods. It is necessary to accurately detect network intrusion in such an environment, so network intrusion detection has been proposed by researchers.

The network intrusion detection system actively detects network intrusions and can maintain network security and issue warnings to remind users to take measures when the network is attacked. At present, network intrusion detection is an important means of maintaining network security. Based on the installation of network intrusion detection systems, they can be divided into network-based intrusion systems (NIDS) and host-based intrusion detection systems (HIDS) [3]. The application of machine learning methods to intrusion detection has shown good detection results in the existing studies [4, 5].

However, there are still many problems in network data. Firstly, in network requests, normal requests account for the majority, while the number of abnormal attacks is often relatively small. For example, in the NSL-KDD dataset, there are 67343 normal requests, while U2R and R2L network attacks have only 52 and 995 requests, respectively. This results in an imbalance in the number of different categories, leading to the neglect of a few outlier attacks during model training, resulting in biased judgment of the model [6]. When detecting the abnormal attacks in an imbalanced data set, most of neural network models are often severely affected by the majority of normal requests, so we need to balance the data. At the same time, not all data features in the dataset can be helpful for the correct discrimination of the network intrusion detection model. For example, there exist often many features in network traffic data that sometimes increase the training time of the network intrusion detection model, such as the feature of duration time, protocol types, service types, and so on. Redundant features can even hinder model detection, leading to a decrease in model discrimination accuracy.

In order to solve the problem of imbalanced data and multiple features mentioned above, we propose using Recursive Feature Elimination (RFE) for feature selection, then using Adaptive Synthetic Sampling (ADASYN) [7] to balance the data and generate a brand new training set. Finally, we use the residual network to learn the processed dataset to improve the performance of the network intrusion detection system. The datasets for this experiment are the NSL-KDD and UNSW-NB15 datasets. Many works similar to ours in recent years have been based on these two datasets and are therefore comparable.

The main contributions of this paper are as follows:

Due to the multi feature nature of the dataset, we adopt the Recursive Feature Elimination (RFE) method, which can select features that are conducive to the model’s performance based on their performance on the test set, thereby selecting the optimal feature.

By using the Adaptive Synthetic Sampling (ADA-SYN) method to balance the number of categories, a new training set is generated. This method can alleviate the problems of data imbalance and insufficient training for minority classes.

To improve the accuracy of model discrimination to avoid overfitting, we intercept the residual blocks with out_features=128 convolutional blocks in the Visual Geometry Group 16 (VGG16) [8] architecture and out_features=256 in the Residual Network 18 (ResNet18) [9] architecture to combine into a new VGG-ResNet (VRNET) network architecture. Experimental results on the NSL-KDD [10] and UNSW-NB15 [11] datasets show the better performance of our adopted method.

In order to achieve the best detection effect of the model, we will combine the above three modules. There are very few existing related works that combine these methods in existing work. We also conducted ablation experiments to verify the effectiveness of each module.

The rest of this paper is organized as follows: Section 2 summarizes the applied machine learning algorithms, feature selection algorithms, and category balancing algorithms in the field of network intrusion. Section 3 describes the algorithm used in this experiment. The description of the data set and the preparation before the experiment are presented in Section 4. Section 5 describes the experimental procedure and comparative study, and Section 6 Conclusion concludes the article.

2 Related Work

The existence of network attacks and network intrusions may affect various fields such as social welfare, economic issues, and data storage. Therefore, Network Intrusion Detection (NID) is a broad research field, and various methods have emerged over the years [12]. Zhang et al. [13] used a neural network with activation mapping (CAM-DNN) to detect Backdoor attacks. Wang et al. [14] used four medium methods, DNN, CNN, RNN, and LSTM and combined these algorithms to conduct experiments on the CSE-CIC-IDS2018 dataset. The results indicate that DNN, RNN, and CNN are superior to CNN+RNN and CNN+LSTM. Zhou et al. [15] proposed an incremental LSTM based intrusion detection method. The effect of state change on incremental LSTM performance is analyzed experimentally. Experiments show that the incremental LSTM-based intrusion detection method has higher accuracy than other methods. Khan et al. [16] proposed an optimized ensemble prediction model using soft voting AutoML, which fused the four optimal selection models to achieve better results.

2.1 Feature selection

The multi feature characteristics of data exist in various fields, such as network intrusion, traffic prediction [17], and so on. Reducing the data dimension can help improve the response speed of intrusion detection systems to network attacks [18]. Thakkar et al. [19] in performing feature selection are using statistical importance fusion to derive the ranking of features and derive features with higher bias. Experiments on three datasets NSL-KDD, UNSW-NB15, and CIC-IDS-2017 show the good performance of this feature selection algorithm by judging the accuracy, precision, recall, and F1score. Damtew et al. [20] proposed a heterogeneous ensemble feature selection (HEFS), which incorporates five filter feature selection methods to output feature subsets. A subset of ensemble features was obtained using a merging method [21]. It has better prediction performance in the NSL-KDD dataset compared to other methods. Yuvaraja [22] proposed an IGWO-EMS-DHPN method using improved Grey Wolf algorithm (IGWO) for selection and EMS-DHPN method, and experiments on UNSW-NB15, CIC-IDS-2017 dataset showed that the proposed method obtained the maximum accuracy.

2.2 Imbalance processing methods

In dealing with data imbalance issues, [23] reviewed existing methods to address category imbalance related issues and also described in detail the methods for handling similar problems in regression tasks. The literature [24] refines the data of each category with the help of Gaussian mixture model (GMM) and then uses WGAN to generate data similar to the original category thus achieving data balance. Song [25] et al. used clustering combined with SMOTE method to Oversampling a few classes, and then used K-means to undersample most classes. Ultimately, the sample size was balanced, and the experimental results showed that this method significantly improved the detection rate of minority classes.

Nowadays, many studies are based on high dimensional network data, but traditional machine learning methods can only be effective for low dimensional data and cannot cope with high dimensional data[26]. In existing work, many studies are based on imbalanced datasets, which leads to inaccurate model judgments and unreliable results. Therefore, we attempt to use the RFE algorithm to select the best features to reduce data dimensionality. In addition, the ADASYN algorithm is used to generate similar samples to solve the problem of uneven data. The most important thing is to improve the recognition accuracy of the model by combining VGG16 and ResNet18 network architectures. Finally, some related work is summarized in Table 1.

Table 1
Summary of existing studies related to intrusion detection system

References Objective Algorithm Dataset Advantage Disadvantage

Abbas [27] improve the anomaly detection process in network. Recursive Feature Elimination (RFE), Random Forest, MLP. NSL-KDD, UNSW-NB15, CSE-IC-IDS2018 Utilizing recursive feature elimination (RFE) for feature selection has improved the accuracy. Not utilizing data balancing methods to address class imbalance issues.

Imran [28] Detect network intrusion. AutoML, Kalman Filter. UNSW-NB15, CICIDS2017. Using SMOTE to solve data inequality and then using AutoML algorithm for classification. Redundant features should be reduced to improve model accuracy.

Duan [29] Propose a network intrusion detection method. A rough Fourier fast algorithm, RSDB, RE-RFE, KNN algorithm. KDD99. Significantly reduced the classification modeling time, with an average reduction of 0.09 seconds. Not conducting experiments on multiple datasets.

Pooja [30] detect intrusion in cyber security Recurrent Neural Network and LSTM. UNSW-NB15, KDDCUP99. Trigger different activation functions to optimize detection. Unresolved data imbalances.

Kornyo [31] The main purpose is to control the flow of packets on the network. AdkNN, RFE, RF, NB. CICIDS 2017 Achieved high accuracy and low false positive rate. Model generalization ability not verified on other datasets.

Thilagam [32] Proposed an intrusion detection system based on cloud computing. RC-NN and Ant Lion optimization algorithm. DARPA IDS and CSE-CIC-IDS2018. Varying different thresholds to simplify the features in the dataset allows the classifier to achieve optimal results. The author of this method should only conduct experiments on one dataset to demonstrate the effectiveness of the proposed method.

Abdelkhalek [33] Propose new methods for balancing data. ADASYN+TomekLink, CNN, LSTM, SVM, MLP. NSL-KDD. The author combined ADASYN and Tomek Links algorithms to solve the problem of data imbalance on the dataset, and the results showed that the recognition accuracy of the model was improved. No feature selection was conducted on the dataset and no experiments were conducted on other datasets.

Harini [34] Detecting vulnerabilities in the network by identifying any activity that deviates from the baseline pattern. ADASYN, Triple Layered Hybrid. NSL-KDD, CICIDS-2017, CIDDS 001. By dividing intrusion detection technology into three layers, a high level of accuracy was achieved on three datasets. No feature selection has been applied to the dataset.

3 Methodology

In this section we propose a network intrusion detection system based on multi-feature imbalanced data, and the implementation flow is shown in Fig. 1.

Fig. 1

Flow chart of network intrusion detection system architecture based on multi-feature imbalanced data.

Algorithm 1 RFE

Input: Evaluator E, the training set T = {f1, f2, . . , fn}, fi is the feature in the dataset, n is the number of features in the dataset, the original feature subset is denoted as S, and the best feature subset F.

Output: Excluded features.

1: Evaluator E is trained on the original dataset to obtain the model training result R1, and calculate the importance of each feature.

2: The least important features fi are eliminated according to their importance to obtain a new training set A1. Evaluator E is trained on A1 to obtain the training result R2 and the importance of each feature is calculated.

3: If R2 is better than R1, the new training set A1 is retained and the best subset F = S - fi.

4: The least important features are removed from the training set A1 to get A2, and the evaluator E is trained in A2. The training result R3 is obtained, and the feature importance in A2 is calculated.

5: If R3 is less than R2, keep A1 and the best subset F and stop iterating. If R3 is greater than R2, repeat steps 2 to 5 until one feature remains in the dataset. Repeat step 2 to step 5 for n-1 times.

Firstly, in the data processing stage, we standardize the data based on the NSL-KDD and UNSW-NB15 datasets. Due to the fact that many features in the dataset have different values for different units, standardization ensures that the values of all features are distributed within the same interval, while also avoiding the impact of different units, which is beneficial for the comprehensive evaluation of the model. In addition, the labels in the dataset, such as Dos, Normal, and other attack categories, also have features with median values as classification types. We need to encode these features and labels into digital algorithms to recognize them.

The basic data pre-processing of the dataset is followed by data slicing to obtain the training and test sets [35], and the distribution of the studied data set of our work will be summarized in Table 4. The NSL-KDD and UNSW-NB15 datasets have 41 features and 42 features, respectively, and in order to refine the features of the dataset to improve the overall data quality of the data we use the RFE algorithm for feature selection, as shown in Algorithm 1. Some notations are summarized in Table 2. The feature importance ranking is derived by RFE, and through the Table 5 we find that there is an imbalance in the distribution of categories on the two datasets, with some categories having a high number and some having a low number which can lead to biased judgments of the model. Therefore, we choose the ADASYN method for category balancing of the model, as shown in Algorithm 2.

Table 2

Summary of notation

Notation	Description
E	Evaluator
S	Original feature subset
F	Optimal feature subset
Ai, i = 1, 2 . . , n	Training set after i-th feature selection
Xi, i = 1, 2, . . , n	The i-th sample in the dataset
Yi, i = 1, 2, . . , n	The label corresponding to the i-th sample in the dataset
Ri, i = 1, 2, . . , n	The result after the i-th feature selection
T	Train set
fi, i = 1, 2, . . , n	The i-th feature in the dataset

Algorithm 2 ADASYN

Input: The training set T = {Xi, Yi}, i=1,..., m. Xi is the sample and Yi is the label.

Output: Sample balanced data.

1: Evaluator E is trained on the original dataset to obtain the model training result R1, and calculate the importance of each feature.

2: Calculate the category imbalance according to Eq. (1).

3: When the imbalance d is less than the set threshold value of the maximum tolerated imbalance:

4: Calculate the number of synthetic samples required according to Eq. (2).

5: The ratio is calculated for each minority class sample Xi using Euclidean distance with its neighboring K samples using Eq. (3).

6: The number of majority class samples around the minority class samples is calculated by Eq. (5) using the minority sample Xi.

7: Calculate the number of syntheses required for each minority class using Eq. (4)

8: Loop from 1 to gi: One of the few samples Xi is selected to synthesize the data by Eq. (6).

$d = \frac{m_{s}}{m_{l}},$ (1) where d is the class imbalance, d ∈ [0, 1]; m_s denotes the number of minority samples; m_l denotes the number of majority samples.

$G = (m_{l} - m_{s}) \times β,$ (2) where G is the total number of defined composite data samples that need to be generated for a few classes, and β represents the balance level required to specify the composite data, β ∈ [0, 1].

$r_{i} = \frac{Δ_{i}}{K}, i = 1, . . . m_{s},$ (3) where r_i ∈ [0, 1] is the scale value and Δ_i is the number of K nearest neighboring samples of the minority sample x_i that belong to the majority class.

$g_{i} = {\hat{r}}_{i} \times G,$ (4)

${\hat{r}}_{i} = \frac{r_{i}}{\sum_{i = 1}^{m_{s}} r_{i}},$ (5) where g_i is the synthesized data and ${\hat{r}}_{i}$ is the normalized value of r_i. $s_{i} = x_{i} + (x_{zi} - x_{i}) \times λ,$ (6) where x_i each minority class sample, x_zi denotes a randomly selected minority class sample from the K nearest neighboring samples of the data x_i, (x_zi - x_i) denotes the vector difference in the n-dimensional space; λ ∈ [0, 1] of random numbers.

The new dataset after feature selection and category balancing was fed into the network architecture constructed based on VGG16 and Resnet18. The newly constructed residual network architecture is shown in Fig. 2.

Fig. 2

VRNET architecture for classification models based on VGG16 and Resnet18.

VRNET is explained in detail as follows: polynomial dimensioning on the processed dataset. The data is processed into 32×32 size grayscale image like data so that it can be fed into the neural network. Resnet is recognized to be more effective and has relatively small parameters, so we choose Resnet18. Due to the small data size, we expect the new architecture to handle relatively large feature maps during residual network processing, and therefore do not expect the convolutional layers to change the size of the feature maps too much. Here we choose kernel_size=3, stride=1, similar in this convolutional layer VGG16.

For 32×32 size data, the architecture network cannot be too deep, so we hope the network architecture can be wider to enhance the learning ability. Considering the arithmetic power, the convolutional layer with out_features=128 is chosen for this experiment corresponding to the out_features=128 convolutional block in the VGG16 architecture. Since out_features=128, the in_features of the convolutional layers in the residual block of Resnet18 must be 128. We chose the residual block with the convolutional layer out_features=256 in the Resnet18 structure. Where out_features=256, in line with our expectation to make the feature map larger and allow the model to learn more information.

4 Experimental configuration and preparation

4.1 Experimental environment and parameter settings

This experimental model is run on a computer with the environment configuration shown in Table 3 and the algorithm parameter settings shown in Table 4.

Table 3
The configuration for our experimental environment

Component Description

CPU Intel(R) Core(TM) i5-12490F 3.00 GHz

Memory 16GB

GPU RTX 3060

Framework Python 3.9

Table 4

Model parameter setting

Module	Parameter settings
ADASYN	n_neighbors = 10
	sampling_stratery = ’not majority’
RFE	estimator = LightGBM
	n_features_to_select = i,
	(i ∈ [1, 2, 3, . . . N], N is the number of features in the dataset)
VRNet	batch_size = 64
	epochs = 50
	optimizer = RMSprop
	learning_rate = 0.001
	alpha = 0.99

4.2 Data understanding

The datasets selected for this study were the NSL-KDD and UNSW-NB15 datasets. These two datasets collect real-world network data, so they can simulate real-world network scenarios. The data distribution of the two datasets is shown in Table 5. From Table 5 it is seen that there are five categories in the NSL-KDD dataset, in addition to Normal normal requests there are four attack categories. There are 10 categories in the UNSW-NB15 dataset in addition to Normal normal requests there are 9 attack categories.

Table 5
Data distribution in the NSL-KDD and UNSW-NB15 datasets

Dataset Category Numerical label Train set Test set

NSL-KDD Normal 1 67343 9711

Dos 2 45927 7636

Probe 3 11656 2574

R2L 4 995 2423

U2R 5 52 200

UNSW-NB15 Normal 1 56000 37000

Generic 2 40000 18871

Exploits 3 33393 11132

Fuzzers 4 18184 6062

Dos 5 12264 4089

Renconnaissance 6 10491 3496

Analysis 7 2000 677

Backdoor 8 1746 583

Shellcode 9 1133 378

Worms 10 130 44

In addition, in Table 5 we can see that the two datasets have an unbalanced data distribution on the training and test sets. Most notably, the number of Normal classes in the training set of NSL-KDD is 67,343 while the number of U2R is only 52 with a large distribution difference. Similarly, in the training set of UNSW-NB15, the number of Normal classes was 56,000, while the number of Shellcode and Worms was only 1,133 and 130, respectively, with significant distribution differences.

4.3 Evaluation metrics

Judging the good or bad performance of the model, for network intrusion detection models need to judge the overall performance of the model, the identification of each category. Therefore, we defined Accuracy, Precision, Recall, and F1-Score respectively according to the confusion matrix (Table 6). $Accuracy = \frac{TP + TN}{TP + TN + FP + FN},$ (7) $Precision = \frac{TP}{TP + FP},$ (8) $Rceall = \frac{TP}{TP + FN},$ (9) $F 1 = \frac{2 * Precision * Recall}{Precision + Recall},$ (10) $FAR = \frac{FP}{FP + TN} .$ (11)

In equations (7) to (10), we explain the classification success index. Equation 11 represents the error rate of model classification.

True Positive (TP): samples that were originally attacked are accurately identified by the model as attacked samples.

True Negative (TN): Samples that were not originally attacked are accurately identified by the model as not being attacked.

False Negative (FN): Samples that were originally attacked are incorrectly identified by the model as not being attacked.

False Positive (FP): Samples that were not originally attacked are incorrectly identified as attacked by the model.

Table 6

The confusion matrix

Actual	Prediction
	positive	negative
positive	TP	FN
negative	FP	TN

4.4 Data pre-processing

4.4.1 Z-score standardization

The different meaning of each feature in the dataset leads to different values for each feature [36]. Some features have large values and some have small values. In order for the model to make comprehensive judgments we need to normalize the data by Z-score (Eq. 12, Eq. 13) so that all features have the same range of values. $X^{*} = \frac{x - μ}{σ},$ (12) $σ = \sqrt{\frac{1}{N} \underset{i = 1}{\overset{N}{Σ}} x - μ 2},$ (13) where x is the data of the sample individuals, μ is the mean of the data, σ is the standard deviation of the data, and μ is the number of data.

4.4.2 Encoding

There are many subtypes of features and label categories in the dataset. For example, the attack categories in the UNSW-NB15 dataset belong to categorical numerical features, and if these features are normalized and directly input into the algorithm, the algorithm cannot recognize these features. The features of these categorical values need to be converted into continuous numerical values through encoding, as shown in the Numerical label column of Table 5.

5 Experiment and Analysis

In this subsection we will experimentally evaluate our proposed approach. The feature selection process of this method, balancing the category process, is described in detail. In addition, we have done ablation experiments to verify the effectiveness of each module of our proposed method, and finally, we have compared it with traditional methods and current more advanced methods to verify the effectiveness of our proposed method.

5.1 Feature selection Based on RFE

The NSL-KDD and UNSW-NB15 datasets with multiple features have 41 and 42 features, respectively. We tested using the RFE method and removed the least important feature each time. The first feature to be removed is the least important, and the last feature to be removed is the most important. The feature subsets selected using the RFE algorithm are shown in Table 7. The importance of each best subset of features increases in the order of ranking.

Table 7
The best subset of selected features

Dataset Feature Name

NSL-KDD wrong_fragment

srv_count

dst_host_srv_serror_rate

dst_host_srv_diff_host_rate

diff_srv_rate

hot

flag

protocol_type

dst_host_same_srv_rate

dst_host_rerror_rate

duration

dst_host_count

count

dst_bytes

dst_host_serror_rate

dst_host_same_src_port_rate

dst_host_srv_count

dst_host_diff_srv_rate

src_bytes

UNSW-NB15 dinpkt

dtcpb

sjit

stcpb

ackdat

spkts

ct_dst_src_ltm

ct_src_ltm

proto

synack

ct_srv_dst

sinpkt

dload

dur

ct_srv_src

djit

dbytes

rate

dmean

sload

smean

We have studied the four most important features as shown in Fig. 3 and Fig. 4. Interactive analysis is conducted on the four most important features in the figure, with dots of different colors representing different categories. On the main diagonal, display the distribution map of each category for that feature, and on the non diagonal, display the scatter distribution map of each category between two different features.

Fig. 3

Most important feature interactions in the NSL-KDD dataset.

Fig. 4

Most important feature interactions in the UNSW-NB15 dataset.

In the non diagonal scatter plot in Fig. 3, for example, the percentage of connections with the same target host and source port as the current connection in the first 100 connections (dst_host_same_src_port_rate) and the number of connections with the same target host and service as the current connection in the first 100 connections (dst_host_srv_count) feature interaction show that the normal class accounts for the majority, with a small number of Probe and Dos attacks. Probe attacks are usually distributed when the dst_host_srv_count feature takes a value of 0 and when the dst_host_same_src_port_rate feature takes a value of 1. In addition, the interaction between the network service type (service) feature of the target host and the dst_host_srv_count feature illustrates that most of the Dos attacks are distributed among different host network service types with the dst_host_srv_count feature taking values between [0, 50]. Also the percentage of the first 100 connections that have the same target host with different services as the current connection (dst_host_diff_srv_rate) feature interacting with the service feature shows that Dos is basically distributed around the dst_host_diff_srv_rate taking a value of 0. Most of the Normal classes are distributed in the range of [0, 25] and [50, 75] for service.

The distribution of the five classes on the dst_host_srv_count feature in the distribution plot on the main diagonal in Fig. 3 shows that the normal class is mostly distributed within the range of [200, 300] for dst_host_srv_count. Dos attacks are mostly distributed within the range of [0, 100] for dst_host_srv_count, which indicates that the dst_host_srv_count feature can distinguish well between normal class and Dos attacks. In comparison, the dst_host_same_src_port_rate feature is not very useful for distinguishing normal classes from Dos attacks, because the distribution of normal classes and Dos attacks roughly overlap in this feature. Moreover, the distributions of the five categories in service, dst_host_diff_srv_rate, dst_host_srv_count, and dst_host_same_src_port_rate illustrate that these features do not distinguish significantly between the two types of attacks, R2L and U2R, and it can be inferred that the model has some difficulty in judging these two categories.

In Fig. 4, for example, in the non diagonal scatter plot, the interaction between the source bit count per second (sload) feature and the average stream packet size transmitted to the destination (dmean) feature shows that when the sload feature value is 0, all categories are distributed within the range of [0, 1500] of the dmean feature. When the dmean feature value is 0, all categories are distributed within the range of [0, 6] of the load feature. Similarly, in the interaction between the average packet size (smean) features of the active transmission of the rate and dmean features, all categories are distributed within the range of [0, 0.5] or 1 for the rate feature, while there is no sample distribution when the rate feature value is within the range of [0.5, 1]. In addition, the interaction graph between smean features and dmean features shows that the majority of the distributed samples are Exploits with a small number of Genetics and Fuzzers.

In the distribution plot on the main diagonal in Fig. 4, all the category samples on the four features of sload, smean, dmean, and rate are basically distributed in the vicinity of the zero value of the feature. Among them, samples in the Generic category are more distributed around the values of smean and dmean of 0, while samples in the Normal category are more distributed around the values of sload and rate of 0.

5.2 Imbalance processing based on ADASYN

The existence of data imbalance in the dataset will lead to the ineffectiveness of the Accuracy metrics, and in order to make the Accuracy metrics effective we must balance the dataset. In order to show more intuitively the changes in the data distribution of the algorithm before and after data balancing, we used the data reduction algorithm t-SNE [37] to visualize and analyze the distribution before and after data balancing.

In Fig. 5a, most of the sample categories in the NSL-KDD dataset before balancing are normal (red), probe (purple), and U2R (green), while there are very few sample categories for Dos (blue) and R2L (orange). In Fig. 6a, the UNSW-NB15 set consists of three categories: Reconnaissance (grey), Dos (green), and Exploits (red) before balancing, with Analysis (blue), Generic (brown), and Fuzzers (purple) accounting for a small portion of the samples. The four categories of Backdoor (orange), Worms (sky blue), Shellcode (light green), and Normal (pink) have a small number, resulting in serious data imbalance in the dataset.

Fig. 5

Comparison of NSL-KDD dataset before and after using ADASYN algorithm.

Fig. 6

Comparison of UNSW-NB15 dataset before and after using ADASYN algorithm.

5.3 Ablation experiments

In order to further confirm the effectiveness of our proposed algorithm and the performance of each module, we conducted an ablation study based on the proposed modules.

(1) Based on origin data. Experiments are performed on the original dataset and intrusion detection is performed using VRNET, which partially evaluates the classification performance of the VRNET algorithm.

(2) Based on RFE. Feature selection using RFE algorithm and intrusion detection using VRNET on the original dataset, which partially evaluates the effectiveness of the feature selection part of RFE algorithm.

(3) Based on ADASYN. Data balancing of the dataset using the ADASYN algorithm and intrusion detection using the VRNET algorithm on the dataset, which partially tests the effectiveness of the ADASYN algorithm data balancing.

(4) Our model. Feature selection using RFE algorithm, then data balancing of the dataset using ADASYN algorithm for the data, and finally intrusion detection using VRNET. This part validates the effectiveness of our proposed model.

The results of the ablation experiments are shown in Table 8. On the NSL-KDD dataset, Table 8 shows that intrusion detection research conducted only on the original dataset performs poorly compared with other algorithms. The performance of the RFE-based algorithm and the ADASYN-based algorithm are similar in all four metrics. The performance based on the RFE algorithm achieved 76.4% in the Precision index, which is the highest among all algorithms. Our proposed model leads other algorithms in terms of accuracy, Recall, F1, and other metrics.

Table 8
Results of ablation experiments on the NSL-KDD and UNSW-NB15 datasets (Unit (%))

Method NSL-KDD UNSW-NB15

Accuracy Precision Recall F1 Accuracy Precision Recall F1

Based on origin data 78.18 69.6 57.69 57.8 69.85 44.44 56.36 47.47

Based on RFE 82.15 76.4 64.64 66.3 75.15 43.54 55.01 44.82

Based on ADASYN 783.45 71.23 64.28 65.22 77.24 44.91 56.63 45.93

Our model 86.31 74.16 68.2 69.35 82.56 49.79 61.01 53.24

In Fig. 5b, after using the ADASYN algorithm for data balancing in the NSL-KDD dataset, the number of Dos and R2L sample classes increased, resulting in a relatively balanced number of categories in the NSL-KDD dataset. In Fig. 6b, after data balancing, the number of samples in the four categories of Backdoor, Worms, Shellcode, and Normal increased. Comparing Fig. 5a, Fig. 5b, Fig. 6a, and Fig. 6b, it is demonstrated that the use of ADASYN algorithm alleviates data imbalance in the dataset.

On the UNSW-NB15 dataset, Table 8 shows that the performance of the VRNET algorithm based on the original data, the RFE algorithm based on the original data, and the ADASYN algorithm based on the precision, recall, and F1 are equivalent. Based on the performance of the Accuracy index, the performance of our algorithm is 82.56%, and the worst performance of intrusion detection based on the original data using VRNET algorithm is 69.85%.

In summary, our proposed algorithm combines the RFE and ADASYN algorithms, and the performance is substantially improved compared to the original data-based, RFE-based and ADASYN-based algorithms. It also illustrates the effectiveness of each module in our algorithm.

5.4 Comparative study

In order to prove the progressiveness of the proposed method, in this section, we will compare the proposed algorithm with the representative network intrusion detection methods in the traditional methods. In addition, we also listed the more advanced network intrusion detection algorithms in the past three years, which proved the progressiveness of our algorithm.

5.4.1 Comparison with classical methods

In Table 9, we selected Support Vector Machine (SVM) [39], Random Forest (RF) [38], and XGBoost [40]. Based on these three algorithms we conducted experiments on NSL-KDD dataset. In addition, we also selected ADASYN and SMOTE [41] data balance methods to conduct experiments based on the above three methods for comprehensive comparison.

As shown in Table 9 in the NSL-KDD dataset, the XGBoost algorithm leads the other two algorithms in Accuracy, Recall, and F1 performance among the three basic algorithm performance, and the RF algorithm has the best performance of 84.84% in Precision performance index. After combining the three algorithms with the SMOTE algorithm, there is a certain improvement in performance compared to the original three basic algorithms. The best performing algorithm is SMOTE combined with XGBoost algorithm. Finally, compared with our algorithm, our proposed algorithm leads other algorithms in three performance metrics, Accuracy, Recall, and F1, and the RF algorithm performs best in Precision metric.

Table 9
Comparison with classical methods on the NSL-KDD dataset (Accuracy, Precision, Recall, F1, FAR (%), cpu time (sec))

Method NSL-KDD

Accuracy Precision Recall F1 cpu time FAR

RF [38] 74.79 84.84 48.41 48.68 4.63 0.17

SVM [39] 75.33 84.03 49.21 50.15 7.56 0.21

XGBoost [40] 76.93 77.95 50.27 50.53 4.23 0.14

SMOTE [41]+RF 75.01 78.84 49.70 49.99 8.95 0.12

SMOTE+SVM 76.82 65.89 54.45 54.85 13.03 0.18

SMOTE+XGBoost 77.09 82.63 53.49 55.11 8.56 0.08

ADASYN+RF 75.43 78.56 49.88 49.80 9.31 0.15

ADASYN+SVM 76.69 66.01 54.30 55.20 13.78 0.23

ADASYN+XGBoost 77.31 82.12 53.49 55.29 14.26 0.14

Our method 86.31 74.16 68.21 69.35 109.66 0.05

As shown in Table 10 in the UNSW-NB15 dataset, the highest Accuracy value of 75.37% was achieved for the Random Forest algorithm among the performance of the three base algorithms. The best Precision performance metric is the XGBoost algorithm with 53.97%, while SVM performs worse in Recall and F1 values with 39.02% and 42.48%, respectively. The RF algorithm outperforms the other two algorithms when combined with the SMOTE algorithm. Our proposed algorithm outperforms other algorithms in Accuracy, Recall, and F1 performance metrics by 82.56%, 61.01%, and 53.24%, respectively.

Table 10

Comparison with classical methods on the UNSW-NB15 dataset (Accuracy, Precision, Recall, F1, FAR (%), cpu time (sec))

Method	UNSW-NB15
	Accuracy	Precision	Recall	F1	cpu time	FAR
RF [38]	75.37	53.25	49.72	50.15	7.82	0.28
SVM [39]	70.29	48.83	39.02	42.48	11.26	0.31
XGBoost [40]	71.68	53.97	53.30	53.47	8.03	0.21
SMOTE [41]+RF	72.64	48.64	59.12	49.16	13.62	0.24
SMOTE+SVM	64.57	39.49	52.53	40.92	15.47	0.26
SMOTE+XGBoost	71.19	50.48	51.69	50.73	14.13	0.16
ADASYN+RF	72.56	40.00	60.89	49.54	14.23	0.24
ADASYN+SVM	64.30	39.76	52.39	40.92	15.11	0.25
ADASYN+XGBoost	70.99	51.08	51.69	51.23	14.92	0.18
Our method	82.56	50.79	61.01	53.24	189.52	0.12

Finally, as shown in Table 9 and Table 10, our proposed algorithm has the longest running time on both datasets. The combination of basic classifiers and data balancing methods will increase the algorithm runtime. For example, compared to the RF+SMOTE algorithm, the RF+SMOTE algorithm has a much longer runtime than the RF algorithm. In addition, our classification algorithm has a much higher complexity than the three basic classifiers, resulting in a longer algorithm running time. In addition, our algorithm has the lowest FAR index. The accurate detection of the model reduces the error rate.

5.4.2 Comparison with state-of-the-art methods

In Fig. 7, Fig. 8, we compare the proposed method with the network intrusion detection algorithms proposed in recent years. What is compared in Fig. 7 is the comparison of network intrusion detection algorithms on the NSL-KDD dataset for each class capture accuracy. What is compared in Fig. 8 is the comparison of network intrusion detection algorithms on the UNSW-NB15 dataset for each class capture accuracy.

As shown in Fig. 7, our proposed algorithm in Figs. 7a and 7d outperforms OAR-SVM and DE-ELM algorithms in terms of accuracy in identifying five categories on the NSL-KDD dataset, especially in terms of accuracy for Probe and U2R attacks. Comparing the S-NDAE algorithm in Fig. 7b, S-NDAE is slightly ahead of our proposed algorithm in the accuracy of Dos, Probe and Normal class recognition, but our algorithm has a great advantage in the accuracy of R2L and U2R class recognition. Compared with the HC-DTTWSVM algorithm in Fig. 7c, the HC-DTTWSVM algorithm performs equally well in the recognition accuracy of the Normal, Dos, and U2R categories. The recognition accuracy of the R2L category is superior to our algorithm, and our algorithm outperforms the HC-DTTWSVM algorithm in the Probe category.

Fig. 7

Accuracy of different detection algorithms for each category on the NSL-KDD.

In the comparison of the UNSW-NB15 dataset in Fig. 8a, compared with the HC-DTTWSVM algorithm, this algorithm only leads our algorithm in terms of accuracy in identifying the Exploration and Analysis classes, while our algorithm leads or is comparable in accuracy in identifying other classes. In Fig. 8d, our algorithm is only weaker than the SVM algorithm in terms of recognition accuracy for the Exploits category, while our algorithm has certain advantages in recognition accuracy for other categories. Compared with the Deep SARSA algorithm in Fig. 8b, the Deep SARSA algorithm has advantages in the accuracy of Exploits, Fuzzers, and Normal class recognition, while our algorithm leads in the accuracy of Worms, Backdoor, and Dos class recognition. In Fig. 8c, the Decision Tree algorithm leads in the recognition accuracy of Exploits, Fuzzers, and Shellcode categories, while our algorithm leads in the recognition accuracy of other categories.

Fig. 8

Accuracy of different detection algorithms for each category on the UNSW-NB15.

Table 11 presents a comparison of the overall accuracy of network intrusion detection on the NSL-KDD dataset for the last three years, and our algorithm achieves an accuracy of 86.31%, which possesses a higher accuracy rate compared to other methods. Table 12 presents a comparison of the overall accuracy of network intrusion detection over the last three years on the UNSW-NB15 dataset, and our algorithm achieves an accuracy of 82.56%, outperforming other algorithms.

Table 11

Comparison of overall accuracy of different methods on the NSL-KDD dataset

Model	Year	Accuracy(%)
DQN [49]	2020	81.80
Multi-CNN [50]	2020	81.33
AESMOTE [51]	2020	82.09
DAE-DNN [52]	2021	83.33
CAFE-CNN [53]	2021	83.34
I-SiamIDS [54]	2021	80.00
DE-ELM [45]	2022	80.15
DNN [55]	2022	81.87
CS-NN [56]	2022	85.56
Deep-SARAS [45]	2023	84.36
LSTM-XGBoost [57]	2023	85.93
HC-DTTWSVM [44]	2023	85.95
Our method	2023	86.31

Table 12

Comparison of overall accuracy of different methods on the UNSW-NB15 dataset

Model	Year	Accuracy(%)
FFDNN [58]	2020	77.16
NSGA2-LR [59]	2020	64.23
ANN-XGBoost [60]	2020	77.15
GA-ET [61]	2020	77.64
DBM-EGWO-KELM [62]	2021	79.50
MCNN-DFS [63]	2021	80.51
1D-CNN [64]	2022	76.30
MLD [65]	2022	79.87
LSTM-XGBoost [57]	2023	73.01
HC-DTTWSVM [44]	2023	81.21
Our method	2023	82.56

In summary, the above comparison results fully demonstrate that the proposed algorithm improves the accuracy of network intrusion detection and is effective in network intrusion detection. It exhibits excellent performance in high-dimensional and imbalanced datasets, achieving precise detection of intrusion attacks.

6 Conclusion

It is crucial to accurately identify network attacks when a network is invaded. In this paper, the ADASYN-RFE-VRNET model is proposed to solve the problem based on a multi-featured, imbalanced data set.

The experimental results show that the proposed algorithm is more accurate in the overall accuracy of detection compared to the advanced algorithms proposed in the last three years, while the effectiveness of each module of the algorithm is demonstrated in the ablation experiments. The method proposed in this paper can be better applied to network intrusion detection in the future to identify network attacks. However, Our model needs to improve after taking a long time to execute. In addition, as far as the accuracy of each class is concerned, the algorithm does not have a high recognition accuracy for each class. In the future application, we will further investigate the computational complexity of the proposed method, and improve its computational speed in real-world network environments.

Footnotes

Acknowledgments

This work was supported in part by Fujian Provincial Department of Science and Technology under Grant No. 2021J011070, and Fujian University of Technology under Grant No. GY-Z18148.

References

Wang

C.-H.

, Lee

C.-J.

and Wu

, A coverage-based location approach and performance evaluation for the deploymentof 5G base stations, IEEE Access 8 (2020), 123320–123333.

Hindy

, Brosset

, Bayne

, Seeam

A.K.

, Tachtatzis

, Atkinson

and Bellekens

, A toaxonmy of networkthreats and the effect of current datasets on intrusion detection systems, IEEE Access 8 (2020), 104650–104675.

Buczak

A.L.

and Guven

, A survey of data mining and machine learning methods for cyber security intrusiondetection, IEEE Communications Surveys & Tutorials 18(2) (2015), 1153–1176.

Kumar

, Gupta

and Arora

, A comparative simulation of normalization methods for machine learning-basedintrusion detection systems using KDD Cup’99 dataset, Journal of Intelligent & Fuzzy Systems 42(3) (2022), 1749–1766.

Poornima

, Elangovan

and Nagarajan

, Network attack classification using LSTM with XGBoost featureselection, Journal of Intelligent & Fuzzy Systems 43(1) (2022), 971–984.

J.X.

, Wang

X.D.

, Song

Y.F.

, Xiang

, Chen

Network intrusion detection based on conditional wasserstein variational autoencoder with generative adversarial network and one-dimensional convolutional neural networks, Applied Intelligence (2022), 1–21.

H.B.

, Bai

, Edwardo

A.G.

, Li

S.T.

ADASYN: Adaptive synthetic sampling approach for imbalanced learning, 2008 IEEE International Joint Conference on Neural Networks (IEEE World Congress on Computational Intelligence) (2008), 1322–1328.

Simonyan

, Zisserman

Very deep convolutional networks for large-scale image recognition, (2014), arXiv:1409.1556.

K.M.

, Zhang

X.Y.

, Ren

S.Q.

, Sun

Deep Residual Learning for Image Recognition, IEEE Conference on Computer Vision and Pattern Recognition (2016), 770–778.

10.

Tavallaee

, Bagheri

, Lu

, Xiang

, Ghorbani

A.A.

A detailed analysis of the KDD CUP 99 data set, 2009 IEEE symposium on computational intelligence for security and defense applications (2009), 1–6.

11.

Moustafa

, Slay

UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSWNB15 network data set), 2015 Military Communications and Information Systems Conference (MilCIS), (2015), 1–6.

12.

Shankar

, Victo

, George

, Naidu

, Madhuri

and Jakim

, Deep Analysis of Risks and Recent TrendsTowards Network Intrusion Detection System, International Journal of Advanced Computer Science andApplications 14(1) (2023).

13.

Zhang

Y.C.

, Feng

, Liao

Z.K.

, Li

Z.X.

and Yao

S.W.

, Universal backdoor attack on deep neural networks formalware detection, Applied Soft Computing 143 (2023), 110389.

14.

Wang

, Zhang

, Sun

and Wang

, Analysis of Recent Deep-Learning-Based Intrusion Detection Methods forIn-Vehicle Network, IEEE Transactions on Intelligent Transportation Systems 24(2) (2023), 1843–1854.

15.

Zhou

H.X.

, Kang

L.Y.

, Pan

, Wei

and Feng

, An intrusion detection approach based on incremental longshortterm memory, International Journal of Information Security 22 (2023), 433–446.

16.

Khan

M.A.

, Iqbal Imran

, Jamil

and Kim

D.H.

, An optimized ensemble prediction model using AutoML based onsoft voting classifier for network intrusion detection, Journal of Network and Computer Applications 212(1) (2023), 103560.

17.

Wang

C.-H.

, Cai

J.B.

, Ye

, Suo

Y.F.

, Lin

S.M.

and Yuan

J.C.

, A two-stage convolution network algorithm forpredicting traffic speed based on multi-feature attention mechanisms, Journal of Intelligent & FuzzySystems 45(3) (2023), 5181–5196.

18.

Erokhin

S.D.

, Borisenko

B.B.

, Martishin

I.D.

, Fadeev

A.S.

The Dataset Features Selection for Detecting and Classifying Network Attacks, 2022 Systems of Signal Synchronization, Generating and Processing in Telecommunications (SYNCHROINFO), (2022), 1–8.

19.

Thakkar

and Lohiya

, Fusion of statistical importance for feature selection in Deep Neural Network-basedIntrusion Detection System, Information Fusion 90 (2023), 353–363.

20.

Damtew

Y.G.

, Chen

and Yuan

, Heterogeneous Ensemble Feature Selection for Network Intrusion DetectionSystem, International Journal of Computational Intelligence Systems 16(1) (2023), 9.

21.

Wang

C.-H.

, Chen

S.M.

, Zhao

Q.G.

and Suo

Y.F.

, An Efficient End-to-End Obstacle Avoidance Path Planning Algorithmfor Intelligent Vehicles Based on Improved Whale Optimization Algorithm, Mathematics 11(8) (2023), 1800.

22.

Yuvaraja

, Arunkumar

, Vinodh Kumar

and Mary Immaculate Sheela

, Improved Grey Wolf Optimization-(IGWO-)Based Feature Selection on Multiview Features and Enhanced Multimodal-Sequential Network Intrusion DetectionApproach, Wireless Communications and Mobile Computing 2023 (2023), no. 8478457.

23.

Rezvani

and Wang

X.Z.

, A broad review on class imbalance learning techniques, Applied Soft Computing 143 (2023), 110415.

24.

Cui

J.Y.

, Zong

L.S.

, Xie

J.H.

and Tang

M.W.

, A novel multi-module integrated intrusion detection system forhigh-dimensional imbalanced data, Applied Intelligence 53(1) (2023), 272–288.

25.

Song

J.M.

, Wang

X.J.

, He

M.S.

and Lei

, CSK-CNN: Network Intrusion Detection Model Based on Two-Layer Convolution Neural Network for Handling Imbalanced Dataset, Information 14(2) (2023), 130.

26.

Khan

M.A.

, Iqbal Imran

, Jamil

and Kim

D.H.

, An optimized ensemble prediction model using AutoML based onsoft voting classifier for network intrusion detection, Journal of Network and Computer Applications 212(1) (2023), 103560.

27.

Abbas

, Hina

, Sajjad

, Zaidi

K.S.

and Akbar

, Optimization of predictive performance of intrusiondetection system using hybrid ensemble model for secure systems, PeerJ Computer Science 9 (2023), e1552.

28.

Imran

F.J.

and Kim

, An Ensemble of Prediction and Learning Mechanism for Improving Accuracy of AnomalyDetection in Network Intrusion Environments, Sustainability 12(18) (2021), 10057.

29.

Duan

X.D.

, Computer Network Intrusion Anomaly Detection Based on Rough Fourier Fast Algorithm, MathematicalProblems in Engineering 2022 (2022).

30.

Pooja

T.S.

and Shrinivasacharya

, Evaluating neural networks using Bi-Directional LSTM for network IDS(intrusion detection systems) in cyber security, Global Transitions Proceedings 2(2) (2021), 448–454.

31.

Kornyo

, Asante

, Opoku

, Owusu-Agyemang

, Partey

T.B.

, Baah

E. K.

and Boadu

, Botnet attacksclassification in AMI networks with recursive feature elimination (RFE) and machine learning algorithms, Computers & Security 135 (2023), 103456.

32.

Thilagam

and Aruna

, Intrusion detection for network based cloud computing by custom RC-NN and optimization, ICT Express 7(4) (2021), 512–520.

33.

Abdelkhalek

and Mashaly

, Addressing the class imbalance problem in network intrusion detection systemsusing data resampling and deep learning, The Journal of Supercomputing 79 (2023), 10611–10644.

34.

Harini

, Maheswari

, Ganapathy

and Sivagami

, An effective technique for detecting minority attacks inNIDS using deep learning and sampling approach, Alexandria Engineering Journal 78 (2023), 469–482.

35.

Wei

, Wang

C.-H.

, Suo

Y.F.

, Zhao

Q.G.

, Yuan

J.C.

and Chen

M.S.

, ,FHO-based Hybrid Neural Networks for Short-Term Load Forecasting inEconomic Dispatch of Power Systems, Journal of NetworkIntelligence 9 (2024), in press.

36.

Wang

C.-H.

, Zhao

Q.G.

and Tian

, Short-Term Wind Power Prediction Based on Hybrid Markov-based PSO-BP NeuralNetwork, Energies 16(11) (2023), 4282.

37.

Van der Maaten

and Hinton

, Visualizing data using t-SNE, Journal of Machine Learning Research 9(11) (2008), 2579–2605.

38.

Breiman

, Random Forests, Machine Learning 45(1) (2001), 5–32.

39.

Cortesc

, Support vector networks, Machine Learning 20(3) (1995), 273–297.

40.

Chen

and Guestrin

, Xgboost: A scalable tree boosting system, Proceedings of the system, Proceedings of the 22nd acm sigkddinternational conference on knowledge discovery and data mining (10) (2016), 785–794.

41.

Chawla

N.V.

, Bowyer

K.W.

, Hall

L.O.

and Kegelmeyer

W.P.

, SMOTE: synthetic minority over-sampling technique, Journal of artificial intelligence research 16 (2002), 321–357.

42.

Aburomman

A.A.

and Reaz

M.B.I.

, A novel weighted support vector machines multiclass classifier based ondifferential evolution for intrusion detection systems, Information Sciences 414 (2017), 225–246.

43.

Shone

, Ngoc

T.N.

, Phai

V.D.

and Shi

, A deep learning approach to network intrusion detection, IEEEtransactions on emerging topics in computational intelligence 2(1) (2018), 41–50.

44.

Zou

, Luo

, Zhang

, Yang

and Wang

, HCDTTSVM: A Network Intrusion Detection Method Based on DecisionTree Twin Support Vector Machine and Hierarchical Clustering, IEEE Access 11 (2023), 21404–21416.

45.

Al-Yaseen

W.L.

, Idrees

A.K.

and Almasoudy

F.H.

, Wrapper feature selection method based differential evolution andextreme learning machine for intrusion detection system, Pattern Recognition 132 (2022), 108912.

46.

Mohamed

and Ejbali

, Deep SARSA-based reinforcement learning approach for anomaly network intrusiondetection system, International Journal of Information Security 22(1) (2023), 235–247.

47.

Meftah

, Rachidi

and Assem

, Network based intrusion detection using the UNSW-NB15 dataset, International Journal of Computing and Digital Systems 8(5) (2019), 478–487.

48.

Jing

and Chen

H.B.

, SVM Based Network Intrusion Detection for the UNSW-NB15 Dataset, 2019 IEEE 13thInternational Conference on ASIC (ASICON) (2019), 1–4.

49.

Sethi

, Rupesh

E.S.

, Rahul

, Padmalochan

and Madhav

Y.V.

, A context-aware robust intrusion detectionsystem: a reinforcement learning-based approach, International Journal of Information Security 19(6) (2020), 657–678.

50.

Y.M.

, Xu

Y.Y.

, Liu

, Hou

H.X.

, Zheng

Y.S.

, Xin

, Zhao

Y.F.

and Cui

Z.L.

, Robust detection for networkintrusion of industrial IoT based on multi-CNN fusion, Measurement 154 (2020), 107450.

51.

and Shi

, Aesmote: Adversarial reinforcement learning with smote for anomaly detection, IEEETransactions on Network Science and Engineering 8(2) (2020), 943–956.

52.

Kunang

Y.N.

, Nurmaini

, Stiawan

and Suprapto

B.Y.

, Attack classification of an intrusion detection systemusing deep learning and hyperparameter optimization, Journal of Information Security and Applications 58 (2021), 102804.

53.

Shams

E.A.

, Rizaner

and Ulusoy

A.H.

, A novel contextaware feature extraction method for convolutional neuralnetwork-based intrusion detection systems, Neural Computing and Applications 33(20) (2021), 13647–13665.

54.

Bedi

, Gupta

and Jindal

, I-SiamIDS: an improved Siam-IDS for handling class imbalance in network-basedintrusion detection systems, Applied Intelligence 51(2) (2021), 1133–1151.

55.

Thirimanne

S.P.

, Jayawardana

, Yasakethu

, Liyanaarachchi

and Hewage

, Deep neural network basedreal-time intrusion detection system, SN Computer Science 3(2) (2022), 145.

56.

Rani

, Effective network intrusion detection by addressing class imbalance with deep neural networks multimediatools and applications, Multimedia Tools and Applications 81(6) (2022), 8499–8518.

57.

Kasongo

S.M.

, A deep learning technique for intrusion detection system using a Recurrent Neural Networks basedframework, Computer Communications 199 (2023), 113–125.

58.

Kasongo

S.M.

and Sun

, A deep learning method with wrapper based feature extraction for wireless intrusiondetectionsystem, Computers & Security 92 (2020), 101752.

59.

Khammassi

and Krichen

, A NSGA2-LR wrapper approach for feature selection in network intrusion detection, Computer Networks 172 (2020), 107183.

60.

Kasongo

S.M.

and Sun

, Performance analysis of intrusion detection systems using a feature selection method onthe UNSW-NB15 dataset, Journal of Big Data 7(1) (2020), 1–20.

61.

Kasongo

S.M.

and Sun

, An advanced intrusion detection system for IIoT based on GA and tree based algorithms, IEEE Access 9 (2021), 113199–113212.

62.

Wang

, Zeng

, Liu

and Li

, Deep belief network integrating improved kernel-based extreme learningmachine for network intrusion detection, IEEE Access 9 (2021), 16062–16091.

63.

Al-Turaiki

and Altwaijry

, A convolutional neural network for improved anomaly-based network intrusiondetection, Big Data 9(3) (2021), 233–252.

64.

Hooshmand

M.K.

and Hosahalli

, Network anomaly detection using deep learning techniques, CAAI Transactionson Intelligence Technology 7(2) (2022), 228–243.

65.

Xie

, Li

S.H.

, Zhang

Y.Z.

, Sun

P.S.

and Xu

H.B.

, Analysis and Detection against Network Attacks in theOverlapping Phenomenon of Behavior Attribute, Computers & Security 121 (2022), 102867.

References	Objective	Algorithm	Dataset	Advantage	Disadvantage
Abbas [27]	improve the anomaly detection process in network.	Recursive Feature Elimination (RFE), Random Forest, MLP.	NSL-KDD, UNSW-NB15, CSE-IC-IDS2018	Utilizing recursive feature elimination (RFE) for feature selection has improved the accuracy.	Not utilizing data balancing methods to address class imbalance issues.
Imran [28]	Detect network intrusion.	AutoML, Kalman Filter.	UNSW-NB15, CICIDS2017.	Using SMOTE to solve data inequality and then using AutoML algorithm for classification.	Redundant features should be reduced to improve model accuracy.
Duan [29]	Propose a network intrusion detection method.	A rough Fourier fast algorithm, RSDB, RE-RFE, KNN algorithm.	KDD99.	Significantly reduced the classification modeling time, with an average reduction of 0.09 seconds.	Not conducting experiments on multiple datasets.
Pooja [30]	detect intrusion in cyber security	Recurrent Neural Network and LSTM.	UNSW-NB15, KDDCUP99.	Trigger different activation functions to optimize detection.	Unresolved data imbalances.
Kornyo [31]	The main purpose is to control the flow of packets on the network.	AdkNN, RFE, RF, NB.	CICIDS 2017	Achieved high accuracy and low false positive rate.	Model generalization ability not verified on other datasets.
Thilagam [32]	Proposed an intrusion detection system based on cloud computing.	RC-NN and Ant Lion optimization algorithm.	DARPA IDS and CSE-CIC-IDS2018.	Varying different thresholds to simplify the features in the dataset allows the classifier to achieve optimal results.	The author of this method should only conduct experiments on one dataset to demonstrate the effectiveness of the proposed method.
Abdelkhalek [33]	Propose new methods for balancing data.	ADASYN+TomekLink, CNN, LSTM, SVM, MLP.	NSL-KDD.	The author combined ADASYN and Tomek Links algorithms to solve the problem of data imbalance on the dataset, and the results showed that the recognition accuracy of the model was improved.	No feature selection was conducted on the dataset and no experiments were conducted on other datasets.
Harini [34]	Detecting vulnerabilities in the network by identifying any activity that deviates from the baseline pattern.	ADASYN, Triple Layered Hybrid.	NSL-KDD, CICIDS-2017, CIDDS 001.	By dividing intrusion detection technology into three layers, a high level of accuracy was achieved on three datasets.	No feature selection has been applied to the dataset.

Component	Description
CPU	Intel(R) Core(TM) i5-12490F 3.00 GHz
Memory	16GB
GPU	RTX 3060
Framework	Python 3.9

Dataset	Category	Numerical label	Train set	Test set
NSL-KDD	Normal	1	67343	9711
	Dos	2	45927	7636
	Probe	3	11656	2574
	R2L	4	995	2423
	U2R	5	52	200
UNSW-NB15	Normal	1	56000	37000
	Generic	2	40000	18871
	Exploits	3	33393	11132
	Fuzzers	4	18184	6062
	Dos	5	12264	4089
	Renconnaissance	6	10491	3496
	Analysis	7	2000	677
	Backdoor	8	1746	583
	Shellcode	9	1133	378
	Worms	10	130	44

Dataset	Feature Name
NSL-KDD	wrong_fragment
	srv_count
	dst_host_srv_serror_rate
	dst_host_srv_diff_host_rate
	diff_srv_rate
	hot
	flag
	protocol_type
	dst_host_same_srv_rate
	dst_host_rerror_rate
	duration
	dst_host_count
	count
	dst_bytes
	dst_host_serror_rate
	dst_host_same_src_port_rate
	dst_host_srv_count
	dst_host_diff_srv_rate
	src_bytes
UNSW-NB15	dinpkt
	dtcpb
	sjit
	stcpb
	ackdat
	spkts
	ct_dst_src_ltm
	ct_src_ltm
	proto
	synack
	ct_srv_dst
	sinpkt
	dload
	dur
	ct_srv_src
	djit
	dbytes
	rate
	dmean
	sload
	smean

A novel data-driven integrated detection method for network intrusion classification based on multi-feature imbalanced data

Abstract

Keywords

1 Introduction

2 Related Work

2.1 Feature selection

2.2 Imbalance processing methods

4.1 Experimental environment and parameter settings

Table 3 The configuration for our experimental environment Component Description CPU Intel(R) Core(TM) i5-12490F 3.00 GHz Memory 16GB GPU RTX 3060 Framework Python 3.9

4.4.1 Z-score standardization

5 Experiment and Analysis

5.1 Feature selection Based on RFE

5.4.1 Comparison with classical methods

Footnotes

Acknowledgments

References

Table 3
The configuration for our experimental environment

Component Description

CPU Intel(R) Core(TM) i5-12490F 3.00 GHz

Memory 16GB

GPU RTX 3060

Framework Python 3.9