In-depth Comparative Evaluation of Supervised Machine Learning

Approaches for Detection of Cybersecurity Threats

Laurens D’hooge, Tim Wauters, Bruno Volckaert and Filip De Turck

Ghent University - imec, IDLab, Department of Information Technology, Technologiepark-Zwijnaarde 126, Gent, Belgium

Keywords:

Intrusion Detection, CICIDS2017, Supervised Machine Learning, Binary Classification.

Abstract:

This paper describes the process and results of analyzing CICIDS2017, a modern, labeled data set for test-

ing intrusion detection systems. The data set is divided into several days, each pertaining to different attack

and corporate-grade equipment, was taken into account as an additional requirement. The work detailed in this

paper establishes a novel supervised machine learning performance baseline for CICIDS2017. Graphics of the

results as well as the raw tables are publicly available at https://gitlab.ilabt.imec.be/lpdhooge/cicids2017-ml-

graphics.

1 INTRODUCTION

Intrusion detection is a cornerstone of cybersecurity

and an active field of research since the 1980s. Al-

though the early research focused more on host intru-

sion detection systems (HIDS), the principal aims of

an intrusion detection system (IDS) have not changed.

shifted part of the research away from HIDS to net-

work intrusion detection systems (NIDS). This paper

details the experiment and results of analyzing a mod-

ern intrusion detection dataset (CICIDS2017) and it

is structured as follows. First an overview of the re-

lated work in intrusion detection and network secu-

rity dataset generation is given, then the implementa-

tion of the analysis is described (section 3). Third and

most important is the discussion of the results (sec-

tion 4), summarized in the conclusion . Key findings

ing effectiveness of simple distance-based methods

2.1 Intrusion Detection

The field of network intrusion detection developed

two main visions on solving the problem of deter-

mining whether observed traffic is legitimate. The

chronologically first approach, is the use of signature-

based systems (also called misuse detection systems).

Within this category different strategies have been re-

searched (Axelsson, 2000), including state modelling,

string matching, simple rule based systems and ex-

pert systems (emulating human expert knowledge, by

D’hooge, L., Wauters, T., Volckaert, B. and De Turck, F.

In-depth Comparative Evaluation of Supervised Machine Learning Approaches for Detection of Cybersecurity Threats.

DOI: 10.5220/0007724801250136

In Proceedings of the 4th International Conference on Internet of Things, Big Data and Security (IoTBDS 2019), pages 125-136

ISBN: 978-989-758-369-8

Copyright

c

been around almost as long, but the methods have

changed drastically in the past years. Early systems

have enabled more advanced statistical methods to be-

come feasible. Work by Buczak et al. (Buczak and

Guven, 2016) concluded that making global recom-

mendations is impossible and the nature of the data

and types of attacks to be classified should be taken

into account when designing an IDS. Furthermore

they stress the requirement for training data in the

field of network intrusion detection and an evaluation

approach that considers more than just accuracy. On a

final note, the authors included recommendations for

neural networks for intrusion detection. Their graph-

ical overview of IDS techniques clearly shows the

dominant position of anomaly based methods, driven

by the adoption of machine learning techniques.

Their main contribution is a chapter explaining the

algorithm classes of neural networks. The work dif-

ferentiates between artificial neural networks (ANN)

(shallow) and deep networks (DN), with subdivisions

between supervised and unsupervised methods for

ANNs and generative versus discriminative methods

their efficacy. All techniques used in this work are

supervised, machine learning algorithms. This means

that they do not just require data, but that data has to

be labeled. The dataset landscape in intrusion detec-

tion has a.o. been described by Wu et al. (Wu and

Banzhaf, 2010) as part of a review paper on the state

of computational intelligence in intrusion detection

systems and more succinctly by Shiravi et al. (Shiravi

et al., 2012), as prelude to their efforts in generating a

new approach for dataset creation.

subject of ACM’s yearly competition on Data mining

and Knowledge Discovery in 1999 is by far the most

by Brown et al. in 2009 (Brown et al., 2009) and by

Tavallaee et al. also in 2009 (Tavallaee et al., 2009).

The persistence of a single dataset for almost two

decades and its improved version, which now also

is nearly a decade old, called for new research into

dataset generation. The Canadian Institute for Cyber-

security (CIC), a coalition of academia, government

and the public sector, based at the University of New

Brunswick is the front runner in this field of research.

The analysis by Tavallaee et al. of the dataset resulted

added to NSL-KDD with a much higher frequency

than items which most of the classifiers identified cor-

rectly. Because NSL-KDD is a derivation of KDD99,

it is not completely free from its origin’s issues.

After publishing NSL-KKD, the CIC started a new

project to create modern, realistic datasets in a scal-

col abstractions ranging from statistical distributions

to custom user-simulating algorithms. Building on

this foundation, published in 2012, a new dataset was

published in 2017. The main difference is that CI-

CIDS2017 (Sharafaldin et al., 2018) is geared more

towards machine learning, with its 80 flow-based fea-

tures, whereas, ISCXIDS2012 had 20 packet features.

Both datasets give access to the raw pcap files, for fur-

ther analysis. The flow features were gathered with

CICFlowMeter, an open source flow generator and

report). This rest of this work will cover an analysis

of the newest dataset, CICIDS2017.

3 ARCHITECTURE AND

The evaluation of this dataset is a project in Python,

neering, by Martin Zinkevich, has been influential on

the implementation (mainly rules 2, 4, 24, 25, 32

and 40), as well as the detailed guides offered by

Scikit-Learn. The current implementation makes use

of nine supervised machine learning classifiers. Four

tree-based algorithms: a single decision tree (CART)

(dtree), a random forest ensemble learner (rforest), a

bagging ensemble learner (bag) and an adaboost en-

semble learner (ada). Two neighbor-based ones: the

K-nearest neighbor classifier (knn) and the N-centroid

Parameter tuning is done with grid search, eval-

uating all combinations of a parameter grid. This is

rameter search spaces can be seen in table 3.

aged, compared to accuracy itself which also uses

equation 1 over all classes simultaneously. TP, TN,

FP, FN respectively stand for true / false positive /

negative.

ACC =

T P + T N

T P + T N + FP + FN

how many are actually positive (equation 2).

sion and recall (equation 4), the F1-score combines

these metrics in such a way that the impact of poor

scores on either of the metrics, heavily impacts the fi-

nal score. In order to achieve a high F1-score, it is not

only sufficient to be precise in prediction (discrimina-

tive power), but equally high in finding a generalized

representation of positive samples.

the true positive rate (recall) on the y-axis and the

false positive rate (equation 5) on the x-axis at differ-

each other. An AUC of 0.5 indicates that the class dis-

tributions overlay each other fully, meaning that the

classifier isn’t better than random guessing. The AUC

reduces the ROC curve to a single number. If special

care has to be given to the avoidance of false posi-

tives or to maximal true positive rate, then the AUC

metric is no longer helpful. For unbalanced data sets,

the ROC curve is a great tool, because the imbalance

is irrelevant to the outcome.

The optimal parameters are decided by a voting

mechanism that works as follows: 1: Find the highest

ranked set of parameters for each of the five metrics.

2: Aggregate across the found sets. 3: Pick the most

prevalent set. Some algorithms showed a high pref-

erence for certain parameter values. The results are

summarized in table 4.

Parameter tuning search results

Algorithm Parameters Search results

bag

max features 0.7 / 0.8 (18/21)

max samples 0.9 / 1.0 (19/21)

ada

n estimators no clear winners

learning rate 0.6 (7/21)

knn

n neighbors 1 (20/21)

distance metric manhattan (17/21)

linsvc

Parameters

For each day (each attack scenario), the algorithms

were retested with optimal parameters. Execution of

the fixed parameter functions, yields a dictionary with

rics used to evaluate in the cross-validation phase (de-

scribed in paragraph 3.3). In addition the accuracy

4 EVALUATION RESULTS

This section describes the results from the retesting

with optimized parameters. In total 9 algorithms were

tested. It should be noted that for two of these no

cross-validation was done. The N-centroid classifier

does not use optimized parameters, due to a limita-

tion of Scikit-learn. For the RBF-SVC classifier, pa-

equipped with 2X Intel Xeon E5-2650v2 @ 2.6GHz

(16 cores) and 48GB of RAM, while the consumer-

grade host had 1X Intel Core i5-4690 @ 3.5GHz (4

cores) and 16 GB of RAM.

4.1 Algorithm Comparison

This section details the results of testing the vari-

ous classification algorithms. The algorithms are

grouped, based on their underlying classifier. Due

to page constraints only results of single execution

on the consumer-grade hardware are contained in

On the whole, the tree-based classifiers obtained the

best results for all attack types, on all metrics. Even

a single decision tree is able to achieve 99+% on

all metrics for the DoS / DDoS and Botnet attack

types. Another interesting finding is that building the

tree without scaling the features, improves the perfor-

mance on all metrics for detection of the brute force

and port scanning traffic, to be near-perfect. Results

on the merged dataset reveal that identification across

different attack classes works with equally great re-

Figure 1: Sample result, full results available at

https://gitlab.ilabt.imec.be/lpdhooge/cicids2017-ml-

graphics.

(DoS, port scan & DDoS) and might obfuscate worse

performance on the less prevalent attack classes.

When introducing meta-estimators, techniques at

a higher level of abstraction that introduce concepts

to improve the underlying classifier(s), several bene-

fits were discovered. Random forests improved the

infiltration attacks as well. This attack type consis-

tently is the hardest to classify, not least because the

dataset only contains 36 of these flows, compared to

the 288566 benign samples in the same set (2).A mod-

est improvement on all metrics is observed for the

merged data set compared to a single decision tree.

The bagging classifier proved itself to be a more

potent meta-estimator, reaching near-perfect scores

on all metrics for the brute force, Dos, DDoS, botnet

and port scanning traffic. The improved performance

very low. The almost perfect classification on five of

the seven attack classes generalized to the evaluation

of the entire data set.

mentioned classes. Thanks to its focus on improv-

ing classification for difficult samples, it was the best

total, 5 of the seven attack classes could be discov-

ered with very high reliability, irrespective of the em-

ployed feature scaling method. On the web attacks

(brute force, XSS and SQLi), the random forest and

bagging classifiers had a slight, but stable edge com-

pared to single decision trees and adaboost. The only

class on which classification underperformed on all

metrics was infiltration. Results pertaining to execu-

tion times are described in subsection 4.2.

This subsection covers three more algorithms, two

support vector machines: one with a linear kernel and

one with a radial basis function kernel and a logistic

regression classifier. Full results are listed in table 7.

gorithm thus succeeds in recognizing most of the at-

tacks, but has higher false-positive rates compared to

the tree-based methods. Precision on the infiltration

attack classes is extremely poor. The logistic regres-

sion with binomial output results, tells a similar story.

this model gets reduced. One consistent result is that

feature scaling is a necessity for the logistic regres-

sion classifier, preferring standardization over min-

max scaling. The generalization or lack thereof is

clearly visible in the results on the merged data set.

Performance is reasonable with standardized features

(98.4% recall & 80.4% precision), but not even close

to the performance of the tree-based classifiers. This

performance reduction does indicate that misclassifi-

cation on the less prevalent classes is impactful on

method selection for feature scaling. This classifier

has dismal performance when features are used as in-

ceeds much better at recognizing brute force, web and

botnet traffic, making the classifier a valid contender

for use on five of the seven attack classes.

Despite its simplicity, the k-nearest neighbors algo-

rithm, generally looking at only one neighbor and us-

ing the Manhattan (block) distance metric, is a high-

performer in 6/7 attack scenarios. In four scenarios,

99.9% on all metrics is almost invariably obtained,

with metrics for the other attack classes never be-

low 95.7%. The elusive class to recognize remains

infiltration attack traffic. Interestingly enough, even

though this too is a distance-based algorithm, all fea-

ture scaling methods, yielded very similar results.

straints, when evaluating traffic. Some example con-

gain insight in the run time requirements of the dif-

ferent algorithms, summarizing charts can be seen in

the algorithms split in two categories when looking at

execution times: all tree and neighbor methods keep

their execution time under one minute on both types

of infrastructure when evaluating data sets under 300

MB. The SVM and regression models take more time

to run, with outliers that are caused by not scaling the

features. Applying a standardizing scaler to the data,

drastically reduces the execution time. Third, the

consumer-grade infrastructure holds its own against

the corporate server. The reason for this is twofold.

as good as insensitive to data set size. In combination

with the classifier’s ability in recognizing DDoS and

port scanning traffic, it is conceivable to employ it in

real-time on IoT networks to identify compromised

(data analytics and remediation engine) component

of the SHIELD platform, a cybersecurity solution for

kept only a 10-feature subset of the flow data. This

subset was chosen, not produced by a feature selec-

tion technique. The threat classification made use of

the random forest and multi-layer perceptron classi-

fiers. Optimal models from a 10-fold cross-validation

were used on 20% of the data that was held out for

validation. The random forest classifier obtained the

best results on accuracy, precision and recall, often

reaching perfect classification. The multi-layer per-

ceptron had similar accuracy scores, but much greater

This paper contains a detailed analysis of CI-

execution time. The elusive attack class to classify

was infiltration. One reason for this might be the se-

classes. It is held back by its steep increase in exe-

cution time for larger data sets, even though it gener-

alizes as well as the tree-base meta-estimators. Op-

posite to this is the nearest centroid classifier, being

nigh insensitive to dataset size, while applicable for

the classification of port scan and DDoS traffic and for

perfect detection of brute force and DoS traffic. The

final algorithms, two support vector machines with

different kernels and logistic regression are useful for

recognition of port scan, DoS and DDoS traffic, pro-

Denning, D. and Neumann, P. G. (1985). Requirements and

Hodo, E., Bellekens, X., Hamilton, A., Tachtatzis, C., and

Marir, N., Wang, H., Feng, G., Li, B., and Jia, M.

McHugh, J. (2000). The 1998 lincoln laboratory ids eval-

McKinney, W. pandas: a foundational python library for

data analysis and statistics.

Pedregosa, F., Varoquaux, G., Gramfort, A., Michel, V.,

Thirion, B., Grisel, O., Blondel, M., Prettenhofer,

P., Weiss, R., Dubourg, V., Vanderplas, J., Passos,

A., Cournapeau, D., Brucher, M., Perrot, M., and

Duchesnay, E. (2011). Scikit-learn: Machine learning

in Python. Journal of Machine Learning Research,

12:2825–2830.

Sharafaldin, I., Lashkari, A. H., and Ghorbani, A. A.

computers & security, 31(3):357–374.

Tavallaee, M., Bagheri, E., Lu, W., and Ghorbani, A. A.

(2009). A detailed analysis of the kdd cup 99 data

set. In Computational Intelligence for Security and

Defense Applications, 2009. CISDA 2009. IEEE Sym-

posium on, pages 1–6. IEEE.

Wu, S. X. and Banzhaf, W. (2010). The use of computa-

tional intelligence in intrusion detection systems: A

review. Applied soft computing, 10(1):1–35.

Zinkevich, M. Rules of machine learning: Best practices

https://gitlab.ilabt.imec.be/lpdhooge/cicids2017-

ml-graphics. Mirror tables and accompanying

graphics of testing on the Intel Xeon E5-2650v2 are

also available via the aforementioned link.