Consolidating Packet-Level Features for Effective Network Intrusion Detection: A Novel Session-Level Approach

Abstract

Network Intrusion Detection Systems (NIDSs) are crucial tools for ensuring cyber security. Recently, machine learning-based NIDSs have gained popularity due to their ability to adapt to various anomalies. To enable machine learning techniques, packet-level features have been proposed for packet-level classification, but this approach may generate an excessive number of security alerts and reduce performance due to irrelevant packets. To address these limitations, this paper proposes a session-level classification approach that consolidates packet-level classification outputs to identify anomalous sessions. The effectiveness of the proposed approach is demonstrated by a prototype system. Experiments on a publicly available benchmark dataset demonstrate the high performance of proposed approach achieving F1-measure exceeding 98%. It also shows that even when we used only a few packets in head parts of each session to obtain session-level predictions, the high F1-measure still could be achieved. This result implies that the proposed approach is also efficient in terms of the number of packets to be processed. These results highlight the promising potential of the proposed approach for adaptive network intrusion detection.