The Cross-Evaluation of Machine Learning-Based Network Intrusion Detection Systems

Enhancing Network Intrusion Detection Systems (NIDS) with supervised Machine Learning (ML) is tough. ML-NIDS must be trained and evaluated, operations requiring data where benign and malicious samples are clearly labeled. Such labels demand costly expert knowledge, resulting in a lack of real deploy...

Full description

Saved in:
Bibliographic Details
Published in:IEEE eTransactions on network and service management 2022-12, Vol.19 (4), p.5152-5169
Main Authors: Apruzzese, Giovanni, Pajola, Luca, Conti, Mauro
Format: Article
Language:English
Subjects:
Datasets
Evaluation
Intrusion detection systems
Labeling
Labels
Machine learning
Monitoring
Network intrusion detection
network security
Proposals
Reliability
Supervised learning
Training
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by cdi_FETCH-LOGICAL-c293t-9bd32a833cf7d8eacc35c6b50b0560385372e264648b00fae3b600843dbb3db23
cites cdi_FETCH-LOGICAL-c293t-9bd32a833cf7d8eacc35c6b50b0560385372e264648b00fae3b600843dbb3db23
container_end_page 5169
container_issue 4
container_start_page 5152
container_title IEEE eTransactions on network and service management
container_volume 19
creator Apruzzese, Giovanni
Pajola, Luca
Conti, Mauro
description Enhancing Network Intrusion Detection Systems (NIDS) with supervised Machine Learning (ML) is tough. ML-NIDS must be trained and evaluated, operations requiring data where benign and malicious samples are clearly labeled. Such labels demand costly expert knowledge, resulting in a lack of real deployments, as well as on papers always relying on the same outdated data. The situation improved recently, as some efforts disclosed their labeled datasets. However, most past works used such datasets just as a 'yet another' testbed, overlooking the added potential provided by such availability. In contrast, we promote using such existing labeled data to cross-evaluate ML-NIDS. Such approach received only limited attention and, due to its complexity, requires a dedicated treatment. We hence propose the first cross-evaluation model. Our model highlights the broader range of realistic use-cases that can be assessed via cross-evaluations, allowing the discovery of still unknown qualities of state-of-the-art ML-NIDS. For instance, their detection surface can be extended-at no additional labeling cost. However, conducting such cross-evaluations is challenging. Hence, we propose the first framework, XeNIDS, for reliable cross-evaluations based on Network Flows. By using XeNIDS on six well-known datasets, we demonstrate the concealed potential, but also the risks, of cross-evaluations of ML-NIDS.
doi_str_mv 10.1109/TNSM.2022.3157344
format article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_crossref_primary_10_1109_TNSM_2022_3157344</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9729769</ieee_id><sourcerecordid>2771521654</sourcerecordid><originalsourceid>FETCH-LOGICAL-c293t-9bd32a833cf7d8eacc35c6b50b0560385372e264648b00fae3b600843dbb3db23</originalsourceid><addsrcrecordid>eNpNkF1PwjAUhhujiYj-AOPNEq-H_VzXS0VUEsBE8LrpujMZwoZth-HfuwkxXjSnF897Ph6ErgkeEILV3WI2nw4opnTAiJCM8xPUI4rRmAsmT__9z9GF9yuMRUoU7aG3xRKioau9j0c7s25MKOsqqotoauyyrCCagHFVWX3ED8ZDHs0gfNfuMxpXwTW-Yx8hgP1Nzfc-wMZforPCrD1cHWsfvT-NFsOXePL6PB7eT2JLFQuxynJGTcqYLWSegrGWCZtkAmdYJJil7a4UaMITnmYYFwZYlmCccpZnWfso66PbQ9-tq78a8EGv6sZV7UhNpSSCkkTwliIHynZHOij01pUb4_aaYN2p05063anTR3Vt5uaQKQHgj1eSKpko9gMGcmor</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2771521654</pqid></control><display><type>article</type><title>The Cross-Evaluation of Machine Learning-Based Network Intrusion Detection Systems</title><source>IEEE Electronic Library (IEL) Journals</source><creator>Apruzzese, Giovanni ; Pajola, Luca ; Conti, Mauro</creator><creatorcontrib>Apruzzese, Giovanni ; Pajola, Luca ; Conti, Mauro</creatorcontrib><description>Enhancing Network Intrusion Detection Systems (NIDS) with supervised Machine Learning (ML) is tough. ML-NIDS must be trained and evaluated, operations requiring data where benign and malicious samples are clearly labeled. Such labels demand costly expert knowledge, resulting in a lack of real deployments, as well as on papers always relying on the same outdated data. The situation improved recently, as some efforts disclosed their labeled datasets. However, most past works used such datasets just as a 'yet another' testbed, overlooking the added potential provided by such availability. In contrast, we promote using such existing labeled data to cross-evaluate ML-NIDS. Such approach received only limited attention and, due to its complexity, requires a dedicated treatment. We hence propose the first cross-evaluation model. Our model highlights the broader range of realistic use-cases that can be assessed via cross-evaluations, allowing the discovery of still unknown qualities of state-of-the-art ML-NIDS. For instance, their detection surface can be extended-at no additional labeling cost. However, conducting such cross-evaluations is challenging. Hence, we propose the first framework, XeNIDS, for reliable cross-evaluations based on Network Flows. By using XeNIDS on six well-known datasets, we demonstrate the concealed potential, but also the risks, of cross-evaluations of ML-NIDS.</description><identifier>ISSN: 1932-4537</identifier><identifier>EISSN: 1932-4537</identifier><identifier>DOI: 10.1109/TNSM.2022.3157344</identifier><identifier>CODEN: ITNSC4</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Datasets ; Evaluation ; Intrusion detection systems ; Labeling ; Labels ; Machine learning ; Monitoring ; Network intrusion detection ; network security ; Proposals ; Reliability ; Supervised learning ; Training</subject><ispartof>IEEE eTransactions on network and service management, 2022-12, Vol.19 (4), p.5152-5169</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2022</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c293t-9bd32a833cf7d8eacc35c6b50b0560385372e264648b00fae3b600843dbb3db23</citedby><cites>FETCH-LOGICAL-c293t-9bd32a833cf7d8eacc35c6b50b0560385372e264648b00fae3b600843dbb3db23</cites><orcidid>0000-0002-3612-1934 ; 0000-0002-6890-9611</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9729769$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,27924,27925,54796</link.rule.ids></links><search><creatorcontrib>Apruzzese, Giovanni</creatorcontrib><creatorcontrib>Pajola, Luca</creatorcontrib><creatorcontrib>Conti, Mauro</creatorcontrib><title>The Cross-Evaluation of Machine Learning-Based Network Intrusion Detection Systems</title><title>IEEE eTransactions on network and service management</title><addtitle>T-NSM</addtitle><description>Enhancing Network Intrusion Detection Systems (NIDS) with supervised Machine Learning (ML) is tough. ML-NIDS must be trained and evaluated, operations requiring data where benign and malicious samples are clearly labeled. Such labels demand costly expert knowledge, resulting in a lack of real deployments, as well as on papers always relying on the same outdated data. The situation improved recently, as some efforts disclosed their labeled datasets. However, most past works used such datasets just as a 'yet another' testbed, overlooking the added potential provided by such availability. In contrast, we promote using such existing labeled data to cross-evaluate ML-NIDS. Such approach received only limited attention and, due to its complexity, requires a dedicated treatment. We hence propose the first cross-evaluation model. Our model highlights the broader range of realistic use-cases that can be assessed via cross-evaluations, allowing the discovery of still unknown qualities of state-of-the-art ML-NIDS. For instance, their detection surface can be extended-at no additional labeling cost. However, conducting such cross-evaluations is challenging. Hence, we propose the first framework, XeNIDS, for reliable cross-evaluations based on Network Flows. By using XeNIDS on six well-known datasets, we demonstrate the concealed potential, but also the risks, of cross-evaluations of ML-NIDS.</description><subject>Datasets</subject><subject>Evaluation</subject><subject>Intrusion detection systems</subject><subject>Labeling</subject><subject>Labels</subject><subject>Machine learning</subject><subject>Monitoring</subject><subject>Network intrusion detection</subject><subject>network security</subject><subject>Proposals</subject><subject>Reliability</subject><subject>Supervised learning</subject><subject>Training</subject><issn>1932-4537</issn><issn>1932-4537</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><recordid>eNpNkF1PwjAUhhujiYj-AOPNEq-H_VzXS0VUEsBE8LrpujMZwoZth-HfuwkxXjSnF897Ph6ErgkeEILV3WI2nw4opnTAiJCM8xPUI4rRmAsmT__9z9GF9yuMRUoU7aG3xRKioau9j0c7s25MKOsqqotoauyyrCCagHFVWX3ED8ZDHs0gfNfuMxpXwTW-Yx8hgP1Nzfc-wMZforPCrD1cHWsfvT-NFsOXePL6PB7eT2JLFQuxynJGTcqYLWSegrGWCZtkAmdYJJil7a4UaMITnmYYFwZYlmCccpZnWfso66PbQ9-tq78a8EGv6sZV7UhNpSSCkkTwliIHynZHOij01pUb4_aaYN2p05063anTR3Vt5uaQKQHgj1eSKpko9gMGcmor</recordid><startdate>202212</startdate><enddate>202212</enddate><creator>Apruzzese, Giovanni</creator><creator>Pajola, Luca</creator><creator>Conti, Mauro</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><orcidid>https://orcid.org/0000-0002-3612-1934</orcidid><orcidid>https://orcid.org/0000-0002-6890-9611</orcidid></search><sort><creationdate>202212</creationdate><title>The Cross-Evaluation of Machine Learning-Based Network Intrusion Detection Systems</title><author>Apruzzese, Giovanni ; Pajola, Luca ; Conti, Mauro</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c293t-9bd32a833cf7d8eacc35c6b50b0560385372e264648b00fae3b600843dbb3db23</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>Datasets</topic><topic>Evaluation</topic><topic>Intrusion detection systems</topic><topic>Labeling</topic><topic>Labels</topic><topic>Machine learning</topic><topic>Monitoring</topic><topic>Network intrusion detection</topic><topic>network security</topic><topic>Proposals</topic><topic>Reliability</topic><topic>Supervised learning</topic><topic>Training</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Apruzzese, Giovanni</creatorcontrib><creatorcontrib>Pajola, Luca</creatorcontrib><creatorcontrib>Conti, Mauro</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><jtitle>IEEE eTransactions on network and service management</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Apruzzese, Giovanni</au><au>Pajola, Luca</au><au>Conti, Mauro</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>The Cross-Evaluation of Machine Learning-Based Network Intrusion Detection Systems</atitle><jtitle>IEEE eTransactions on network and service management</jtitle><stitle>T-NSM</stitle><date>2022-12</date><risdate>2022</risdate><volume>19</volume><issue>4</issue><spage>5152</spage><epage>5169</epage><pages>5152-5169</pages><issn>1932-4537</issn><eissn>1932-4537</eissn><coden>ITNSC4</coden><abstract>Enhancing Network Intrusion Detection Systems (NIDS) with supervised Machine Learning (ML) is tough. ML-NIDS must be trained and evaluated, operations requiring data where benign and malicious samples are clearly labeled. Such labels demand costly expert knowledge, resulting in a lack of real deployments, as well as on papers always relying on the same outdated data. The situation improved recently, as some efforts disclosed their labeled datasets. However, most past works used such datasets just as a 'yet another' testbed, overlooking the added potential provided by such availability. In contrast, we promote using such existing labeled data to cross-evaluate ML-NIDS. Such approach received only limited attention and, due to its complexity, requires a dedicated treatment. We hence propose the first cross-evaluation model. Our model highlights the broader range of realistic use-cases that can be assessed via cross-evaluations, allowing the discovery of still unknown qualities of state-of-the-art ML-NIDS. For instance, their detection surface can be extended-at no additional labeling cost. However, conducting such cross-evaluations is challenging. Hence, we propose the first framework, XeNIDS, for reliable cross-evaluations based on Network Flows. By using XeNIDS on six well-known datasets, we demonstrate the concealed potential, but also the risks, of cross-evaluations of ML-NIDS.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TNSM.2022.3157344</doi><tpages>18</tpages><orcidid>https://orcid.org/0000-0002-3612-1934</orcidid><orcidid>https://orcid.org/0000-0002-6890-9611</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 1932-4537
ispartof IEEE eTransactions on network and service management, 2022-12, Vol.19 (4), p.5152-5169
issn 1932-4537
1932-4537
language eng
recordid cdi_crossref_primary_10_1109_TNSM_2022_3157344
source IEEE Electronic Library (IEL) Journals
subjects Datasets
Evaluation
Intrusion detection systems
Labeling
Labels
Machine learning
Monitoring
Network intrusion detection
network security
Proposals
Reliability
Supervised learning
Training
title The Cross-Evaluation of Machine Learning-Based Network Intrusion Detection Systems
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-26T18%3A37%3A45IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=The%20Cross-Evaluation%20of%20Machine%20Learning-Based%20Network%20Intrusion%20Detection%20Systems&rft.jtitle=IEEE%20eTransactions%20on%20network%20and%20service%20management&rft.au=Apruzzese,%20Giovanni&rft.date=2022-12&rft.volume=19&rft.issue=4&rft.spage=5152&rft.epage=5169&rft.pages=5152-5169&rft.issn=1932-4537&rft.eissn=1932-4537&rft.coden=ITNSC4&rft_id=info:doi/10.1109/TNSM.2022.3157344&rft_dat=%3Cproquest_cross%3E2771521654%3C/proquest_cross%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c293t-9bd32a833cf7d8eacc35c6b50b0560385372e264648b00fae3b600843dbb3db23%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2771521654&rft_id=info:pmid/&rft_ieee_id=9729769&rfr_iscdi=true