TY - GEN
T1 - Cross-Datasets Evaluation of Machine Learning Models for Intrusion Detection Systems
AU - Al-Riyami, Said
AU - Lisitsa, Alexei
AU - Coenen, Frans
N1 - Publisher Copyright:
© 2022, The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
PY - 2022
Y1 - 2022
N2 - The conventional way to evaluate the performance of machine learning models intrusion detection systems (IDS) is by using the same dataset to train and test. This method might lead to the bias from the computer network where the traffic is generated. Because of that, the applicability of the learned models might not be adequately evaluated. We argued in Al-Riyami et al. (ACM, pp 2195-2197 [1]) that a better way is to use cross-datasets evaluation, where we use two different datasets for training and testing. Both datasets should be generated from various networks. Using this method as it was shown in Al-Riyami et al. (ACM, pp 2195-2197 [1]) may lead to a significant drop in the performance of the learned model. This indicates that the models learn very little knowledge about the intrusion, which would be transferable from one setting to another. The reasons for such behaviour were not fully understood in Al-Riyami et al. (ACM, pp 2195-2197 [1]). In this paper, we investigate the problem and show that the main reason is the different definitions of the same feature in both models. We propose the correction and further empirically investigate cross-datasets evaluation for various machine learning methods. Further, we explored cross-dataset evaluation in the multiclass classification of attacks, and we show for most models that learning traffic normality is more robust than learning intrusions.
AB - The conventional way to evaluate the performance of machine learning models intrusion detection systems (IDS) is by using the same dataset to train and test. This method might lead to the bias from the computer network where the traffic is generated. Because of that, the applicability of the learned models might not be adequately evaluated. We argued in Al-Riyami et al. (ACM, pp 2195-2197 [1]) that a better way is to use cross-datasets evaluation, where we use two different datasets for training and testing. Both datasets should be generated from various networks. Using this method as it was shown in Al-Riyami et al. (ACM, pp 2195-2197 [1]) may lead to a significant drop in the performance of the learned model. This indicates that the models learn very little knowledge about the intrusion, which would be transferable from one setting to another. The reasons for such behaviour were not fully understood in Al-Riyami et al. (ACM, pp 2195-2197 [1]). In this paper, we investigate the problem and show that the main reason is the different definitions of the same feature in both models. We propose the correction and further empirically investigate cross-datasets evaluation for various machine learning methods. Further, we explored cross-dataset evaluation in the multiclass classification of attacks, and we show for most models that learning traffic normality is more robust than learning intrusions.
KW - Machine learning
KW - Model evaluation
KW - Network intrusion detection system
KW - Network security
KW - Security and privacy
UR - http://www.scopus.com/inward/record.url?scp=85119022563&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85119022563&partnerID=8YFLogxK
U2 - 10.1007/978-981-16-2102-4_73
DO - 10.1007/978-981-16-2102-4_73
M3 - Conference contribution
AN - SCOPUS:85119022563
SN - 9789811621017
T3 - Lecture Notes in Networks and Systems
SP - 815
EP - 828
BT - Proceedings of 6th International Congress on Information and Communication Technology, ICICT 2021
A2 - Yang, Xin-She
A2 - Sherratt, Simon
A2 - Dey, Nilanjan
A2 - Joshi, Amit
PB - Springer Science and Business Media Deutschland GmbH
T2 - 6th International Congress on Information and Communication Technology, ICICT 2021
Y2 - 25 February 2021 through 26 February 2021
ER -