Loading…
Explainable Cross-domain Evaluation of ML-based Network Intrusion Detection Systems
Many of the proposed machine learning (ML) based network intrusion detection systems (NIDSs) achieve near perfect detection performance when evaluated on synthetic benchmark datasets. However, there is no record of if and how these results generalise to other network environments. In this paper, we...
Saved in:
Published in: | Computers & electrical engineering 2023-05, Vol.108, p.108692, Article 108692 |
---|---|
Main Authors: | , |
Format: | Article |
Language: | English |
Subjects: | |
Citations: | Items that this one cites Items that cite this one |
Online Access: | Get full text |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Summary: | Many of the proposed machine learning (ML) based network intrusion detection systems (NIDSs) achieve near perfect detection performance when evaluated on synthetic benchmark datasets. However, there is no record of if and how these results generalise to other network environments. In this paper, we investigate the cross-domain performance of ML-based NIDSs by extensively evaluating eight supervised and unsupervised learning models on four recently published benchmark NIDS datasets. Our investigation indicates that none of the considered models is able to generalise over all studied datasets. Interestingly, our results also indicate that the cross-domain performance has a high degree of asymmetry, i.e., swapping the source and target domains can significantly change the classification performance. Our investigation also indicates that overall, unsupervised learning methods perform better than supervised learning models in our considered scenarios. We further used SHAP values to explain the observed cross-domain performance results. They show a high correlation between a good model performance and a correspondence between feature distributions/values and Attack/Benign classes. |
---|---|
ISSN: | 0045-7906 1879-0755 |
DOI: | 10.1016/j.compeleceng.2023.108692 |