Towards an Optimized Ensemble Feature Selection for DDoS Detection Using Both Supervised and Unsupervised Method †
Abstract
:1. Introduction
- Implement a wide variety of unique feature selection methods from three major categories: filter-based, wrapper-based, and embedded. We also fine-tuned the hyper-parameters for the feature selection method using the grid search technique. Finally, we compare the performance of individual feature selection methods using stater-of-art machine learning, deep learning, and unsupervised learning models.
- Ensemble feature sets extracted from individual feature selection methods based on majority voting. Since different feature subset performs differently for a different classification model, we try to combine them to find a better common feature subset for all major types of the attack detection algorithm.
- Evaluate the performance of the ensemble feature selection method using machine learning, deep learning, and unsupervised learning and compares the performance with the individual feature selection method to extract an optimal feature set.
2. Literature Review
2.1. Supervised Techniques
2.2. Unsupervised Techniques
3. Methodology
3.1. Dataset
3.2. Data Preprocessing
3.3. Ensemble Feature Selection
3.4. Attack Detection Models
3.5. Evaluation Metrics
3.6. Software and Hardware Preliminaries
4. Results and Discussion
4.1. Individual Feature Selection
4.2. Ensemble Feature Selection
4.3. Performance Evaluation
5. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Tunggal, A. Why Is Cybersecurity Important? UpGuard. 2021. Available online: https://www.upguard.com/blog/cybersecurity-important (accessed on 15 November 2021).
- Brownlee, J. Feature Selection to Improve Accuracy and Decrease Training Time. Available online: https://machinelearningmastery.com/feature-selection-to-improve-accuracy-and-decrease-training-time/ (accessed on 15 November 2021).
- Hoque, N.; Singh, M.; Bhattacharyya, D. EFS-MI: An ensemble feature selection method for classification. Complex Intell. Syst. 2018, 4, 105–118. [Google Scholar] [CrossRef]
- Pes, B. Ensemble feature selection for high-dimensional data: A stability analysis across multiple domains. Neural Comput. Appl. 2020, 32, 5951–5973. [Google Scholar] [CrossRef] [Green Version]
- Li, J.; Cheng, K.; Wang, S.; Morstatter, F.; Trevino, R.; Tang, J.; Liu, H. Feature selection: A data perspective. ACM Comput. Surv. (CSUR) 2017, 50, 1–45. [Google Scholar] [CrossRef]
- Chebrolu, S.; Abraham, A.; Thomas, J. Feature deduction and ensemble design of intrusion detection systems. Comput. Secur. 2005, 24, 295–307. [Google Scholar] [CrossRef]
- Amiri, F.; Yousefi, M.; Lucas, C.; Shakery, A.; Yazdani, N. Mutual information-based feature selection for intrusion detection systems. J. Netw. Comput. Appl. 2011, 34, 1184–1199. [Google Scholar] [CrossRef]
- Das, S.; Mahfouz, A.; Venugopal, D.; Shiva, S. DDoS intrusion detection through machine learning ensemble. In Proceedings of the 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C), Sofia, Bulgaria, 22–26 July 2019; pp. 471–477. [Google Scholar]
- Manevitz, L.; Yousef, M. One-class SVMs for document classification. J. Mach. Learn. Res. 2001, 2, 139–154. [Google Scholar]
- Tang, T.; Mhamdi, L.; Zaidi, S.; El-moussa, F.; McLernon, D.; Ghogho, M. A deep learning approach combining auto-encoder with one-class SVM for DDoS attack detection in SDNs. In Proceedings of the International Conference on Communications and Networking, Chongqing, China, 15–17 November 2019. [Google Scholar]
- Cheng, Z.; Zou, C.; Dong, J. Outlier detection using isolation forest and local outlier factor. In Proceedings of the Conference on Research in Adaptive and Convergent Systems, Chongqing, China, 24–27 September 2019; pp. 161–168. [Google Scholar]
- Saha, S.; Priyoti, A.; Sharma, A.; Haque, A. Towards an Optimal Feature Selection Method for AI-Based DDoS Detection System. In Proceedings of the 2022 IEEE 19th Annual Consumer Communications Networking Conference (CCNC), Las Vegas, TX, USA, 8–11 January 2022; pp. 425–428. [Google Scholar]
- Tsai, C.; Hsu, Y.; Lin, C.; Lin, W. Intrusion detection by machine learning: A review. Expert Syst. Appl. 2009, 36, 11994–12000. [Google Scholar] [CrossRef]
- Mukkamala, S.; Sung, A.; Abraham, A. Intrusion detection using ensemble of soft computing paradigms. In Intelligent Systems Design and Applications; Springer: Berlin/Heidelberg, Germany, 2003; pp. 239–248. [Google Scholar]
- Gomes, H.; Barddal, J.; Enembreck, F.; Bifet, A. A survey on ensemble learning for data stream classification. ACM Comput. Surv. (CSUR) 2017, 50, 1–36. [Google Scholar] [CrossRef]
- Sagi, O.; Rokach, L. Ensemble learning: A survey. Wiley Interdiscip. Rev. Data Min. Knowl. Discov. 2018, 8, e1249. [Google Scholar] [CrossRef]
- Gao, X.; Shan, C.; Hu, C.; Niu, Z.; Liu, Z. An adaptive ensemble machine learning model for intrusion detection. IEEE Access 2019, 7, 82512–82521. [Google Scholar] [CrossRef]
- Pham, N.; Foo, E.; Suriadi, S.; Jeffrey, H.; Lahza, H. Improving performance of intrusion detection system using ensemble methods and feature selection. In Proceedings of the Australasian Computer Science Week Multiconference, Brisbane, QLD, Australia, 29 January–2 February 2018; pp. 1–6. [Google Scholar]
- Ravi, V.; Chaganti, R.; Alazab, M. Recurrent deep learning-based feature fusion ensemble meta-classifier approach for intelligent network intrusion detection system. Comput. Electr. Eng. 2022, 102, 108156. [Google Scholar] [CrossRef]
- Chandrashekar, G.; Sahin, F. A survey on feature selection methods. Comput. Electr. Eng. 2014, 40, 16–28. [Google Scholar] [CrossRef]
- Sheikhpour, R.; Sarram, M.; Gharaghani, S.; Chahooki, M. A survey on semi-supervised feature selection methods. Pattern Recognit. 2017, 64, 141–158. [Google Scholar] [CrossRef]
- Khalid, S.; Khalil, T.; Nasreen, S. A survey of feature selection and feature extraction techniques in machine learning. In Proceedings of the 2014 Science and Information Conference, London, UK, 27–29 August 2014; pp. 372–378. [Google Scholar]
- Molina, L.; Belanche, L.; Nebot, À. Feature selection algorithms: A survey and experimental evaluation. In Proceedings of the 2002 IEEE International Conference on Data Mining, Maebashi City, Japan, 9–12 December 2002; pp. 306–313. [Google Scholar]
- Adams, S.; Beling, P. A survey of feature selection methods for Gaussian mixture models and hidden Markov models. Artif. Intell. Rev. 2019, 52, 1739–1779. [Google Scholar] [CrossRef]
- Lin, S.; Ying, K.; Lee, C.; Lee, Z. An intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection. Appl. Soft Comput. 2012, 12, 3285–3290. [Google Scholar] [CrossRef]
- Osanaiye, O.; Cai, H.; Choo, K.; Dehghantanha, A.; Xu, Z.; Dlodlo, M. Ensemble-based multi-filter feature selection method for DDoS detection in cloud computing. EURASIP J. Wirel. Commun. Netw. 2016, 2016, 1–10. [Google Scholar] [CrossRef] [Green Version]
- Das, S.; Venugopal, D.; Shiva, S.; Sheldon, F. Empirical evaluation of the ensemble framework for feature selection in ddos attack. In Proceedings of the 2020 International Conference on Edge Computing and Scalable Cloud (EdgeCom), New York, NY, USA, 1–3 August 2020; pp. 56–61. [Google Scholar]
- Dash, M.; Liu, H. Feature selection for classification. Intell. Data Anal. 1997, 1, 131–156. [Google Scholar] [CrossRef]
- Wang, Y.; Wong, J.; Miner, A. Anomaly intrusion detection using one class SVM. In Proceedings of the Fifth Annual IEEE SMC Information Assurance Workshop, West Point, NY, USA, 10–11 June 2004; pp. 358–364. [Google Scholar]
- Erfani, S.; Rajasegarar, S.; Karunasekera, S.; Leckie, C. High-dimensional and large-scale anomaly detection using a linear one-class SVM with deep learning. Pattern Recognit. 2016, 58, 121–134. [Google Scholar] [CrossRef]
- Vasudevan, A.; Selvakumar, S. Local outlier factor and stronger one class classifier based hierarchical model for detection of attacks in network intrusion detection dataset. Front. Comput. Sci. 2016, 10, 755–766. [Google Scholar] [CrossRef]
- Lazarevic, A.; Ertoz, L.; Kumar, V.; Ozgur, A.; Srivastava, J. A comparative study of anomaly detection schemes in network intrusion detection. In Proceedings of the 2003 SIAM international Conference on Data Mining, San Francisco, CA, USA, 1–3 May 2003; pp. 25–36. [Google Scholar]
- Amer, M.; Goldstein, M.; Abdennadher, S. Enhancing one-class support vector machines for unsupervised anomaly detection. In Proceedings of the ACM SIGKDD Workshop on Outlier Detection and Description, Chicago, IL, USA, 10–14 August 2013; pp. 8–15. [Google Scholar]
- Alshawabkeh, M.; Jang, B.; Kaeli, D. Accelerating the local outlier factor algorithm on a GPU for intrusion detection systems. In Proceedings of the 3rd Workshop on General-Purpose Computation on Graphics Processing Units, Pittsburg, PA, USA, 14 March 2010; pp. 104–110. [Google Scholar]
- Karev, D.; McCubbin, C.; Vaulin, R. Cyber threat hunting through the use of an isolation forest. In Proceedings of the 18th International Conference on Computer Systems and Technologies, Ruse, Bulgaria, 23–24 June 2017; pp. 163–170. [Google Scholar]
- Tao, X.; Peng, Y.; Zhao, F.; Zhao, P.; Wang, Y. A parallel algorithm for network traffic anomaly detection based on Isolation Forest. Int. J. Distrib. Sens. Netw. 2018, 14, 1550147718814471. [Google Scholar] [CrossRef] [Green Version]
- Elghazel, H.; Aussem, A. Unsupervised feature selection with ensemble learning. Mach. Learn. 2015, 98, 157–180. [Google Scholar] [CrossRef]
- Vinayakumar, R.; Alazab, M.; Soman, K.; Poornachandran, P.; Al-Nemrat, A.; Venkatraman, S. Deep learning approach for intelligent intrusion detection system. IEEE Access 2019, 7, 41525–41550. [Google Scholar] [CrossRef]
- Vinayakumar, R.; Soman, K.; Poornachandran, P. Evaluating effectiveness of shallow and deep networks to intrusion detection system. In Proceedings of the 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI), Manipal, Karnataka, India, 13–16 September 2017; pp. 1282–1289. [Google Scholar]
- Moustafa, N.; Slay, J. UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In Proceedings of the 2015 Military Communications and Information Systems Conference (MilCIS), Canberra, Australia, 10–12 November 2015; pp. 1–6. [Google Scholar]
- Pedregosa, F.; Varoquaux, G.; Gramfort, A.; Michel, V.; Thirion, B.; Grisel, O.; Blondel, M.; Prettenhofer, P.; Weiss, R.; Dubourg, V.; et al. Scikit-learn: Machine Learning in Python. J. Mach. Learn. Res. 2011, 12, 2825–2830. [Google Scholar]
- Alotaibi, B.; Alotaibi, M. Consensus and majority vote feature selection methods and a detection technique for web phishing. J. Ambient. Intell. Humaniz. Comput. 2020, 12, 717–727. [Google Scholar] [CrossRef]
- Ketkar, N. Introduction to keras. In Deep Learning With Python; Apress: Berkeley, CA, USA, 2017; pp. 97–111. [Google Scholar]
- Moustafa, N.; Slay, J. The significant features of the UNSW-NB15 and the KDD99 data sets for network intrusion detection systems. In Proceedings of the 2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns For Security (BADGERS), Kyoto, Japan, 5 November 2015; pp. 25–31. [Google Scholar]
- Kasongo, S.; Sun, Y. Performance analysis of intrusion detection systems using a feature selection method on the UNSW-NB15 dataset. J. Big Data 2020, 7, 1–20. [Google Scholar] [CrossRef]
Ref. | FS Method | Pros | Cons |
---|---|---|---|
[6] | Bayesian networks and the CART | Hybrid architecture involves ensemble and base classifiers for intrusion detection | User to Root(U2R) attack’s were not accurately distinguished. |
[7] | Modified Mutual Information-based Feature Selection method (MMIFS) | MMIFS is able to measurea general dependency between features and to rank them. | A huge proportion of DoS and R2L (Root to local)attacks are missed by detection methods. |
[8] | Not mentioned | Thorough testing and experiments are carried out to verify the ensemble methods. Their method works well in complex datasets and shows low-time complexities. | Not mentioned |
[17] | Not mentioned | Shows betteraccuracy results as compared to other related papers. The generalization effect by gathering advantagesof different algorithms. | Long detection delay in practical application scenarios affects the response time of attack detection. |
[18] | Leave-one-out techniques and Naive Bayes classifier, Gain Ratio (GR) technique | The research indicated that used models had high accuracy and low FAR (False Alarm Rate), with the bagging model. They used J48 as the base classifier and worked on a 35-feature subset, producing the best results were 84.25% accuracy and 2.79% FAR. | They performed the comparison only between bagging and boosting ensemble techniques. |
[22] | Wrapper and Filter-based methods | Feature selection improves knowledge of the process under consideration, as it points out the features that mostlyaffect the considered phenomenon.The objective of both methods concerns the reduction of feature space in order to improve data analysis. | The computation time of the adopted learning machine and its accuracy need to be considered as they are crucial in machine and data mining applications. |
[24] | Gaussian Mixture Models (GMM) and Hidden Markov Models (HMM) | Explored GMMs and HMMs possibilities for supervised and unsupervisedFS methods. Their approach worksbetter with unsupervised learning methods. | GMM related methods were given more emphasis rather than HMM. |
[25] | Combination of support vector machine (SVM), decision tree (DT), and simulated annealing (SA) | Generates decision rules to detect new network intrusion attacks. | Detailed comparison with other processes is not visible. Experiments conducted on limited number (DT, SA, SVM) of approaches. |
[26] | Info gain, Gain ratio, Chi-squared, ReliefF | Compared to single FS methods, their proposed ensemble-based multi-filter fs selection method shows more efficiency with less complexity | Their process is more prone to false alarm while classification. |
[27] | EnFS | Produces an optimal set of features using ensemble technique that improves accuracy significantly. Their technique’s false alarm rate is negligible. | Deep Learning related approaches were not explored. |
[37] | RCE and RFE | This research worked to mitigate the gap between ensemble supervised and unsupervised FS learning. | Their proposed method is not very suitable for smaller domains. |
[38] | Not mentioned | Proposed a scalable and hybrid noble image processing technique with optimal parameters for both ML and DL architectures. | Training was not conducted on complex DNN architectures. |
[39] | Feature reduction | Their approach works for evaluating the shallow and deep networks which were not explored in previous work. | This research did not do experiment analysis for real time deep network data. |
Supervised Learning | |||
---|---|---|---|
Total instance | Malicious | Benign | |
Train | 112,001 | 56,001 | 56,000 |
Test | 69,996 | 34,998 | 34,998 |
Unsupervised Learning | |||
Total instance | Malicious | Benign | |
Train | 20,000 | 19,800 | 200 |
Test | 1000 | 504 | 496 |
Model | Parameter Configuration |
---|---|
NB | alpha = 1.0, binarize = 0.0, fitprior = True, classprior = None |
LR | randomstate = 0, solver = ‘lbfgs’, multi_class = ‘multinomial’ |
NN | solver = ‘lbfgs’, alpha = 1 × 10−5, hiddenlayersizes = (5, 2) |
DT | default parameter |
SVM | C = 1.0, kernel = ‘rbf’, degree = 3, gamma = ‘scale’, coef0 = 0.0, shrinking = True, probability = True |
RF | default parameter |
SGD | max_iter = 1000, tol = 1 × 10−3 |
DNN | No. of hidden layer = 4, No. of neurons = (256,128,64,32), activation = (relu, sigmoid), lr = 0.001, dropout = 0.2, optimizer = adam |
CNN | No. of Conv. Layer = 3, No. of neurons in Conv. Layer = (128,64,64), poll_size = 2, kernel_size = 3, No. of dense layer = 4, No. of neurons in dense layer= (256,128,64,32), activation = (relu, sigmoid) |
LSTM | No. of hidden layer = 1, No. of neurons = 128, activation = sigmoid, lr = 0.001, optimizer = adam |
GRU | No. of hidden layer = 1, No. of neurons = 128, activation = sigmoid, lr = 0.001, optimizer = adam |
A-KNN | method=’mean’, contamination = 0.01 |
ISOF | contamination = 0.01 |
KNN | contamination = 0.01 |
LOF | contamination = 0.01 |
OCSVM | contamination = 0.01 |
Model Type | Filter (7) | Wrapper (2) | Embedded (6) | Ensemble (1) | Original (1) | Total |
---|---|---|---|---|---|---|
ML (7) | 49 | 14 | 42 | 7 | 7 | 119 |
DL (4) | 28 | 8 | 24 | 4 | 4 | 68 |
UL (5) | 35 | 10 | 30 | 5 | 5 | 85 |
Method | Feature Set | Total |
---|---|---|
PEARSON | [‘service’, ‘stcpb’, ‘sinpkt’, ‘is_sm_ips_ports’, ‘synack’, ‘ct_srv_src’, ‘sload’, ‘dwin’, ‘ct_srv_dst’, ‘tcprtt’, ‘swin’, ‘ct_dst_ltm’, ‘ackdat’, ‘dttl’, ‘dmean’, ‘rate’, ‘dload’, ‘proto’, ‘ct_state_ttl’, ‘sttl’] | 20 |
MUTINFO | [‘dur’, ‘sbytes’, ‘dbytes’, ‘rate’, ‘sttl’, ‘dttl’, ‘sload’, ‘smean’, ‘ct_state_ttl’] | 9 |
SPERCENT | [‘proto’, ‘rate’, ‘sttl’, ‘dttl’, ‘dload’, ‘sinpkt’, ‘dmean’, ‘ct_state_ttl’, ‘is_sm_ips_ports’] | 9 |
CHI2 | [‘dur’, ‘proto’, ‘service’, ‘rate’, ‘sttl’, ‘dttl’, ‘sload’, ‘dload’, ‘sinpkt’, ‘swin’, ‘stcpb’, ‘dtcpb’, ‘dwin’, ‘ackdat’, ‘dmean’, ‘ct_srv_src’, ‘ct_state_ttl’, ‘ct_dst_ltm’, ‘ct_srv_dst’, ‘is_sm_ips_ports’] | 20 |
ANOVA | [‘proto’, ‘service’, ‘rate’, ‘sttl’, ‘dttl’, ‘sload’, ‘dload’, ‘sinpkt’, ‘swin’, ‘stcpb’, ‘dwin’, ‘tcprtt’, ‘synack’, ‘ackdat’, ‘dmean’, ‘ct_srv_src’, ‘ct_state_ttl’, ‘ct_dst_ltm’, ‘ct_srv_dst’, ‘is_sm_ips_ports’] | 20 |
FREGEX | [‘proto’, ‘service’, ‘rate’, ‘sttl’, ‘dttl’, ‘sload’, ‘dload’, ‘sinpkt’, ‘swin’, ‘stcpb’, ‘dwin’, ‘tcprtt’, ‘synack’, ‘ackdat’, ‘dmean’, ‘ct_srv_src’, ‘ct_state_ttl’, ‘ct_dst_ltm’, ‘ct_srv_dst’, ‘is_sm_ips_ports’] | 20 |
SFPR | [‘dur’, ‘proto’, ‘service’, ‘state’, ‘spkts’, ‘dpkts’, ‘sbytes’, ‘dbytes’, ‘rate’, ‘sttl’, ‘dttl’, ‘sload’, ‘dload’, ‘dloss’, ‘sinpkt’, ‘sjit’, ‘djit’, ‘swin’, ‘stcpb’, ‘dtcpb’] | 20 |
SFDR | [‘dur’, ‘proto’, ‘service’, ‘state’, ‘spkts’, ‘dpkts’, ‘sbytes’, ‘dbytes’, ‘rate’, ‘sttl’, ‘dttl’, ‘sload’, ‘dload’, ‘dloss’, ‘sinpkt’, ‘sjit’, ‘djit’, ‘swin’, ‘stcpb’, ‘dtcpb’] | 20 |
LRL1 | [‘proto’, ‘service’, ‘state’, ‘spkts’, ‘sbytes’, ‘dttl’, ‘dload’, ‘sloss’, ‘djit’, ‘swin’, ‘dwin’, ‘synack’, ‘dmean’, ‘ct_state_ttl’, ‘ct_src_dport_ltm’, ‘ct_dst_sport_ltm’, ‘is_ftp_login’, ‘ct_ftp_cmd’, ‘ct_srv_dst’, ‘is_sm_ips_ports’] | 20 |
LASSO | [‘proto’, ‘state’, ‘dttl’, ‘swin’, ‘tcprtt’, ‘synack’, ‘ct_srv_src’, ‘ct_state_ttl’, ‘ct_srv_dst’, ‘is_sm_ips_ports’] | 10 |
RF | [‘proto’, ‘sbytes’, ‘rate’, ‘sttl’, ‘dttl’, ‘sload’, ‘dload’, ‘tcprtt’, ‘synack’, ‘ackdat’, ‘smean’, ‘dmean’, ‘ct_state_ttl’, ‘ct_dst_src_ltm’, ‘ct_srv_dst’] | 16 |
EXTREES | [‘proto’, ‘sttl’, ‘dttl’, ‘swin’, ‘smean’, ‘ct_srv_src’, ‘ct_state_ttl’, ‘ct_srv_dst’] | 8 |
LGBM | [‘dur’, ‘sbytes’, ‘dbytes’, ‘sload’, ‘sinpkt’, ‘sjit’, ‘dtcpb’, ‘tcprtt’, ‘ackdat’, ‘smean’, ‘dmean’, ‘ct_dst_src_ltm’, ‘ct_srv_dst’] | 13 |
RFE | [‘dur’, ‘proto’, ‘state’, ‘spkts’, ‘sbytes’, ‘dttl’, ‘dload’, ‘sloss’, ‘swin’, ‘dwin’, ‘tcprtt’, ‘synack’, ‘dmean’, ‘ct_srv_src’, ‘ct_state_ttl’, ‘ct_dst_ltm’, ‘ct_src_dport_ltm’, ‘is_ftp_login’, ‘ct_srv_dst’, ‘is_sm_ips_ports’] | 20 |
VTSLD | [‘dur’, ‘proto’, ‘service’, ‘state’, ‘spkts’, ‘dpkts’, ‘sbytes’, ‘dbytes’, ‘rate’, ‘sttl’, ‘dttl’, ‘sload’, ‘dload’, ‘sloss’, ‘dloss’, ‘sinpkt’, ‘dinpkt’, ‘sjit’, ‘djit’, ‘swin’] | 20 |
Feature | Pearson | MUTINFO | SPERCENT | CHI2 | ANOVA | FREGEX | SFPR | SFDR | LRL1 | LASSO | RF | EXTREES | LGBM | RFE | VTSLD | Count |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
dttl | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 0 | 1 | 1 | 14 |
proto | 1 | 0 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 0 | 1 | 1 | 13 |
dload | 1 | 0 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 0 | 1 | 0 | 0 | 1 | 1 | 11 |
swin | 1 | 0 | 0 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 0 | 1 | 0 | 1 | 1 | 11 |
sttl | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 0 | 0 | 1 | 1 | 0 | 0 | 1 | 11 |
ct_state_ttl | 1 | 1 | 1 | 1 | 1 | 1 | 0 | 0 | 1 | 1 | 1 | 1 | 0 | 1 | 0 | 11 |
ct_srv_dst | 1 | 0 | 0 | 1 | 1 | 1 | 0 | 0 | 1 | 1 | 1 | 1 | 1 | 1 | 0 | 10 |
rate | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 1 | 10 |
sload | 1 | 1 | 0 | 1 | 1 | 1 | 1 | 1 | 0 | 0 | 1 | 0 | 1 | 0 | 1 | 10 |
sinpkt | 1 | 0 | 1 | 1 | 1 | 1 | 1 | 1 | 0 | 0 | 0 | 0 | 1 | 0 | 1 | 9 |
dmean | 1 | 0 | 1 | 1 | 1 | 1 | 0 | 0 | 1 | 0 | 1 | 0 | 1 | 1 | 0 | 9 |
service | 1 | 0 | 0 | 1 | 1 | 1 | 1 | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 1 | 8 |
ct_srv_src | 1 | 0 | 0 | 1 | 1 | 1 | 0 | 0 | 0 | 1 | 1 | 1 | 0 | 1 | 0 | 8 |
is_sm_ips_ports | 1 | 0 | 1 | 1 | 1 | 1 | 0 | 0 | 1 | 1 | 0 | 0 | 0 | 1 | 0 | 8 |
sbytes | 0 | 1 | 0 | 0 | 0 | 0 | 1 | 1 | 1 | 0 | 1 | 0 | 1 | 1 | 1 | 8 |
FS Method | ML Model | Accuracy | F1 Score | Precision | Recall | Time (s) |
---|---|---|---|---|---|---|
PEARSON | NN | 0.857 | 0.870 | 0.857 | 0.855 | 114.30 |
MUTINFO | RF | 0.812 | 0.852 | 0.812 | 0.806 | 10.50 |
SPERCENT | RF | 0.814 | 0.855 | 0.814 | 0.809 | 9.10 |
CHI2 | NN | 0.872 | 0.880 | 0.872 | 0.871 | 180.5 |
ANOVA | DT | 0.850 | 0.863 | 0.850 | 0.849 | 0.80 |
FREGEX | DT | 0.853 | 0.865 | 0.853 | 0.851 | 0.80 |
SFPR | NN | 0.831 | 0.840 | 0.831 | 0.829 | 122.81 |
SFDR | NN | 0.831 | 0.840 | 0.831 | 0.829 | 122.40 |
LRL1 | RF | 0.815 | 0.850 | 0.815 | 0.810 | 9.23 |
LASSO | NN | 0.718 | 0.725 | 0.718 | 0.716 | 92.04 |
RF | RF | 0.828 | 0.847 | 0.828 | 0.825 | 11.69 |
EXTREES | NN | 0.838 | 0.848 | 0.838 | 0.837 | 122.21 |
LGBM | RF | 0.686 | 0.687 | 0.686 | 0.686 | 15.23 |
RFE | RF | 0.766 | 0.772 | 0.766 | 0.764 | 10.78 |
VTSLD | NN | 0.806 | 0.856 | 0.806 | 0.799 | 105.76 |
ALL | DT | 0.844 | 0.857 | 0.844 | 0.842 | 1.47 |
EN | NN | 0.872 | 0.879 | 0.872 | 0.871 | 78.32 |
ML Model | FS Method | Accuracy | F1 Score | Precision | Recall | Time (s) |
---|---|---|---|---|---|---|
DT | CHI2 | 0.855 | 0.866 | 0.855 | 0.854 | 0.83 |
LR | SFPR | 0.788 | 0.847 | 0.788 | 0.778 | 1.43 |
NB | SFPR | 0.670 | 0.709 | 0.670 | 0.655 | 0.07 |
NN | EN | 0.872 | 0.879 | 0.872 | 0.871 | 78.32 |
RF | EN | 0.843 | 0.864 | 0.843 | 0.840 | 9.22 |
SGD | SFPR | 0.786 | 0.846 | 0.786 | 0.776 | 0.16 |
SVM | SFPR | 0.792 | 0.853 | 0.792 | 0.783 | 389.51 |
FS Method | DL Model | Accuracy | F1 Score | Precision | Recall | Time (s) |
---|---|---|---|---|---|---|
PEARSON | LSTM | 0.853 | 0.865 | 0.797 | 0.946 | 424.26 |
MUTINFO | DNN | 0.834 | 0.854 | 0.762 | 0.971 | 136.94 |
SPERCENT | DNN | 0.803 | 0.833 | 0.722 | 0.986 | 136.08 |
CHI2 | CNN | 0.848 | 0.863 | 0.788 | 0.953 | 210.07 |
ANOVA | GRU | 0.855 | 0.867 | 0.800 | 0.946 | 379.14 |
FREGEX | LSTM | 0.856 | 0.868 | 0.802 | 0.946 | 427.11 |
SFPR | DNN | 0.805 | 0.835 | 0.722 | 0.990 | 142.55 |
SFDR | DNN | 0.804 | 0.835 | 0.721 | 0.992 | 134.85 |
LRL1 | GRU | 0.803 | 0.833 | 0.723 | 0.982 | 384.78 |
LASSO | LSTM | 0.757 | 0.792 | 0.692 | 0.927 | 420.37 |
RF | CNN | 0.840 | 0.853 | 0.787 | 0.932 | 262.74 |
EXTREES | CNN | 0.826 | 0.833 | 0.801 | 0.869 | 205.03 |
LGBM | DNN | 0.713 | 0.698 | 0.736 | 0.664 | 136.19 |
RFE | LSTM | 0.749 | 0.782 | 0.690 | 0.902 | 462.75 |
VTSLD | DNN | 0.813 | 0.840 | 0.732 | 0.986 | 145.57 |
ALL | GRU | 0.820 | 0.843 | 0.747 | 0.966 | 368.68 |
EN | LSTM | 0.868 | 0.877 | 0.824 | 0.937 | 474.75 |
DL Model | FS Method | Accuracy | F1 Score | Precision | Recall | Time (s) |
---|---|---|---|---|---|---|
DNN | MUTINFO | 0.834 | 0.854 | 0.762 | 0.971 | 136.94 |
CNN | CHI2 | 0.848 | 0.863 | 0.788 | 0.953 | 210.07 |
LSTM | EN | 0.868 | 0.877 | 0.824 | 0.937 | 474.75 |
GRU | EN | 0.865 | 0.874 | 0.817 | 0.941 | 427.58 |
FS Method | UL Model | Accuracy | F1 Score | Precision | Recall | Time (s) |
---|---|---|---|---|---|---|
PEARSON | KNN | 0.73 | 0.72 | 0.78 | 0.73 | 19.24 |
MUTINFO | LOF | 0.65 | 0.63 | 0.70 | 0.65 | 1.36 |
SPERCENT | LOF | 0.61 | 0.60 | 0.61 | 0.61 | 2.11 |
CHI2 | KNN | 0.73 | 0.71 | 0.81 | 0.73 | 24.05 |
ANOVA | KNN | 0.73 | 0.72 | 0.78 | 0.73 | 18.81 |
FREGEX | KNN | 0.73 | 0.72 | 0.78 | 0.73 | 27.82 |
SFPR | KNN | 0.68 | 0.67 | 0.73 | 0.68 | 17.69 |
SFDR | KNN | 0.68 | 0.67 | 0.73 | 0.68 | 20.65 |
LRL1 | KNN | 0.64 | 0.64 | 0.65 | 0.64 | 35.64 |
LASSO | KNN | 0.63 | 0.63 | 0.63 | 0.63 | 1.99 |
RF | A-KNN | 0.66 | 0.64 | 0.72 | 0.67 | 2.30 |
EXTREES | KNN | 0.70 | 0.67 | 0.78 | 0.70 | 1.92 |
LGBM | A-KNN | 0.51 | 0.40 | 0.56 | 0.52 | 2.23 |
RFE | ISOF | 0.60 | 0.53 | 0.75 | 0.60 | 3.21 |
VTSLD | KNN | 0.64 | 0.64 | 0.64 | 0.64 | 10.64 |
ALL | A-KNN | 0.65 | 0.62 | 0.72 | 0.65 | 14.09 |
EN | A-KNN | 0.76 | 0.75 | 0.80 | 0.76 | 2.74 |
UL Model | FS Method | Accuracy | F1 Score | Precision | Recall | Time (s) |
---|---|---|---|---|---|---|
A-KNN | EN | 0.76 | 0.75 | 0.80 | 0.76 | 2.74 |
ISOF | LRL1 | 0.63 | 0.58 | 0.76 | 0.64 | 5.30 |
KNN | EN | 0.76 | 0.75 | 0.81 | 0.76 | 2.77 |
LOF | PEARSON | 0.68 | 0.66 | 0.73 | 0.68 | 14.92 |
OCSVM | EXTREES | 0.55 | 0.45 | 0.68 | 0.55 | 51.02 |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Saha, S.; Priyoti, A.T.; Sharma, A.; Haque, A. Towards an Optimized Ensemble Feature Selection for DDoS Detection Using Both Supervised and Unsupervised Method. Sensors 2022, 22, 9144. https://doi.org/10.3390/s22239144
Saha S, Priyoti AT, Sharma A, Haque A. Towards an Optimized Ensemble Feature Selection for DDoS Detection Using Both Supervised and Unsupervised Method. Sensors. 2022; 22(23):9144. https://doi.org/10.3390/s22239144
Chicago/Turabian StyleSaha, Sajal, Annita Tahsin Priyoti, Aakriti Sharma, and Anwar Haque. 2022. "Towards an Optimized Ensemble Feature Selection for DDoS Detection Using Both Supervised and Unsupervised Method" Sensors 22, no. 23: 9144. https://doi.org/10.3390/s22239144
APA StyleSaha, S., Priyoti, A. T., Sharma, A., & Haque, A. (2022). Towards an Optimized Ensemble Feature Selection for DDoS Detection Using Both Supervised and Unsupervised Method. Sensors, 22(23), 9144. https://doi.org/10.3390/s22239144