Identifying and Benchmarking Key Features for Cyber Intrusion Detection: An Ensemble Approach

Abstract

In today's interconnected era, intrusion detection system (IDS) has the potential to be the frontier of defense against cyberattacks and plays an essential role in achieving security of networking resources and infrastructures. The performance of IDS depends highly on data features. Selecting the most informative features eliminating the redundant and irrelevant features from network traffic data for IDS is still an open research issue. The key impetus of this paper is to identify and benchmark the potential set of features that can characterize network traffic for intrusion detection. In this correspondence, an ensemble approach is proposed. As a first step, the approach applies four different feature evaluation measures, such as correlation, consistency, information, and distance, to select the more crucial features for intrusion detection. Second, it applies the subset combination strategy to merge the output of the four measures and achieve the potential feature set. Along with this, a new framework that adopts the data analytic lifecycle practices is explored to employ the proposed ensemble for building an effective IDS. The effectiveness of the proposed approach is demonstrated by conducting several experiments on four intrusion detection evaluation datasets, namely KDDCup'99, NSL-KDD, UNSW-NB15, and CICIDS2017. The obtained results prove that the proposed approach contributes more potential features compared to the state-of-the-art approaches, leading to achieve a promising performance gain in the detection rate of 3.2%, the false alarm rate of 38%, and the detection time of 12%. Furthermore, ROC and statistical significance are analyzed for the identified feature subset to strongly conform its acceptability as a future benchmark for building an effective IDS.