The escalating sophistication of cyberattacks demands intrusion detection systems (IDS) that can generalize to unseen threats while remaining operationally practical. This work introduces a temporal-aware IDS framework evaluated on the UNSW-NB15 dataset using four chronological folds (three days for training, one day for testing) under a strict 20-feature budget and three regimes: Without Eng., With Eng., and With Eng. + SMOTE. The pipeline integrates robust preprocessing, eight domain-informed engineered ratios and rates (excluding their raw bases), per-fold top-20 feature selection via ExtraTrees importance, and a sweep of eight learners—ExtraTrees, HistGBM, LightGBM, DecisionTree, RandomForest, MLP, XGBoost, and a 1D CNN baseline. Beyond standard metrics, this study emphasizes Alert-Budget Utility (ABU)—the F1-score computed only on the top-k alerts—evaluated at budgets {5, 10, 20, 30}%. Although ROC–AUC remains consistently high (≈0.999) yet offers limited operational interpretability, ABU reveals budget-dependent leadership: HistGBM dominates at 5–10% (F1 ≈ 0.40/0.66 with Precision = 1.0), RandomForest (With Eng.) peaks at 20% (F1 ≈ 0.97), and HistGBM regains the lead at 30% (F1 ≈ 0.81). The CNN underperforms without engineered features (F1 ≈ 0.12) but improves substantially when augmented with domain-guided attributes (F1 ≈ 0.90), highlighting the necessity of feature engineering even for deep learners. A runtime analysis shows ExtraTrees (With Eng.) processing ≈226k rows/s (~4.4 s per million flows), while RandomForest (With Eng.) delivers the best ABU@20%. All results, code, and artifacts are released for full reproducibility.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Temporal-Aware Machine and Deep Learning Models for Intrusion Detection Using Engineered Features and UNSW-NB15 Dataset

  • Anita Kumari,
  • Rashmi Saini

摘要

The escalating sophistication of cyberattacks demands intrusion detection systems (IDS) that can generalize to unseen threats while remaining operationally practical. This work introduces a temporal-aware IDS framework evaluated on the UNSW-NB15 dataset using four chronological folds (three days for training, one day for testing) under a strict 20-feature budget and three regimes: Without Eng., With Eng., and With Eng. + SMOTE. The pipeline integrates robust preprocessing, eight domain-informed engineered ratios and rates (excluding their raw bases), per-fold top-20 feature selection via ExtraTrees importance, and a sweep of eight learners—ExtraTrees, HistGBM, LightGBM, DecisionTree, RandomForest, MLP, XGBoost, and a 1D CNN baseline. Beyond standard metrics, this study emphasizes Alert-Budget Utility (ABU)—the F1-score computed only on the top-k alerts—evaluated at budgets {5, 10, 20, 30}%. Although ROC–AUC remains consistently high (≈0.999) yet offers limited operational interpretability, ABU reveals budget-dependent leadership: HistGBM dominates at 5–10% (F1 ≈ 0.40/0.66 with Precision = 1.0), RandomForest (With Eng.) peaks at 20% (F1 ≈ 0.97), and HistGBM regains the lead at 30% (F1 ≈ 0.81). The CNN underperforms without engineered features (F1 ≈ 0.12) but improves substantially when augmented with domain-guided attributes (F1 ≈ 0.90), highlighting the necessity of feature engineering even for deep learners. A runtime analysis shows ExtraTrees (With Eng.) processing ≈226k rows/s (~4.4 s per million flows), while RandomForest (With Eng.) delivers the best ABU@20%. All results, code, and artifacts are released for full reproducibility.