Supervised Machine Learning-Based Intrusion Detection for 5G Networks: Evaluation on the 5G-NIDD Dataset

Abstract

The evolution of 5G networks has introduced new challenges in securing mobile infrastructures against increasingly sophisticated cyber threats. Intrusion detection in such environments has been widely studied using traditional datasets such as the Canadian Institute for Cybersecurity Intrusion Detection Systems CICIDS2017, the University of New South Wales-Network Behavior UNSW-NB15, and The Network Security Laboratory-Knowledge Discovery in Databases NSL-KDD; however, these benchmarks lack the architectural complexity and protocol diversity inherent to 5G networks. More recent research has adopted the 5G-NIDD dataset (5G Network Intrusion Detection Dataset), which provides realistic traffic generated from a live 5G testbed, including various attack scenarios targeting MEC servers and core network components. Nevertheless, existing works using 5G-NIDD often focus on limited subsets of attacks, rely on unsupervised or federated learning approaches, and lack comprehensive evaluations of supervised learning models. In contrast, this study leverages the entire 5G-NIDD dataset, encompassing all available attack scenarios, and conducts a systematic comparison of multiple supervised learning algorithms. A systematic evaluation of supervised learning algorithms is conducted using key performance metrics such as accuracy, precision, recall and F1-score to identify the most effective model for intrusion detection in 5G environments. Specifically, this study focuses on four supervised learning algorithms, K-Nearest Neighbors (KNNs), Support Vector Machines (SVMs), Logistic Regression (LR), and Naive Bayes (NB), to determine not only which achieves the highest detection accuracy but also which offers the best balance between predictive performance and computational efficiency in realistic 5G environments. To assess robustness and adaptability, the proposed models are further validated on two widely used benchmark datasets, namely CICIDS2017 and UNSW-NB15, as part of an extended analysis. This cross-dataset evaluation highlights each algorithm’s strengths and limitations under diverse network traffic conditions and attack scenarios. The results aim to validate the applicability of supervised learning approaches to intrusion detection in next-generation network infrastructures, while also emphasizing the importance of balancing predictive accuracy with computational efficiency for real-world deployment.

1. Introduction

1.1. Motivation and Previous Works

The emergence of fifth generation wireless networks (5G) marks a transformative shift in wireless communications, offering low latency, unprecedented data throughput, and extensive device connectivity [1]. These advancements enable important applications including autonomous vehicles, remote surgeries, and industrial automation [2]. However, the complexity and openness of the 5G architecture, particularly its reliance on software defined networking (SDN), edge computing, and network slicing, introduce new vulnerabilities that traditional security mechanisms struggle to address [3,4].

The progressive expansion and openness of 5G networks have prompted extensive research into intelligent security mechanisms capable of detecting and preventing cyber attacks. Conventional intrusion detection systems (IDSs), which rely on signature-based or rule-based approaches, often fail to adapt to the dynamic and high-dimensional nature of 5G traffic [5,6,7,8]. As a result, machine learning (ML) and deep learning (DL) techniques have gained significant attention due to their ability to learn patterns and generalize across diverse attack scenarios [9,10].

Beyond supervised approaches, recent surveys have highlighted the growing role of unsupervised and self-supervised learning strategies in security and anomaly detection, which aim to leverage unlabeled or partially labeled data for robust representation learning [11,12].

Anomaly detection in 5G networks has become a critical research area due to the increasing complexity, decentralization, and massive connectivity introduced by next-generation mobile infrastructures. Various studies have investigated this domain using both traditional and 5G-specific datasets, applying a wide range of machine learning and deep learning approaches.

Several notable studies have leveraged benchmark datasets such as NSL-KDD [13,14], UNSW-NB15 [15,16], and CICIDS2017 [17,18] to evaluate and improve intrusion detection techniques. Early research relied heavily on these legacy datasets, which provide structured features and labeled attack types. For instance, studies using NSL-KDD have explored multiple machine learning methods to improve detection accuracy and reduce false positives, as demonstrated in [19,20]. Similarly, the UNSW-NB15 dataset, which offers a more contemporary and diverse network traffic profile, has been used in works such as [21], where stacking-based machine learning methods improved detection performance for complex attack patterns. Kumar et al. [22] conducted a comparative study between NSL-KDD and UNSW-NB15, applying supervised learning algorithms for intrusion detection in conventional network environments. Meanwhile, the CICIDS2017 dataset, known for its rich and realistic attack scenarios, has facilitated detailed feature analysis and anomaly detection, as shown in [23], and was introduced to support research on realistic traffic patterns.

While these datasets remain essential benchmarks in the cybersecurity research community, they primarily reflect wired network behavior and lack the architectural complexity, protocol diversity, and dynamic traffic patterns unique to 5G infrastructures. This limitation highlights the need for dedicated 5G datasets and systematic evaluations that reflect real-world conditions.

To address these limitations, more recent studies have focused on 5G-specific datasets, notably the 5G-NIDD dataset, which was generated from a real 5G testbed at the University of Oulu. This dataset includes traffic from legitimate users and simulated attackers attempting to access MEC servers, providing a more realistic representation of 5G network behavior.

For instance, Sheikhi et al. proposed an unsupervised federated learning framework for detecting DDoS attacks using 5G-NIDD [24]. Their method preserved data privacy and demonstrated scalability across distributed nodes; however, it was limited to specific attack types and did not explore supervised alternatives. In another study [25], the same authors developed a Long Short-Term Memory (LSTM)-based time-series model aimed at identifying anomalies in 5G core traffic. Although effective for sequential data, this model was not compared with other machine learning techniques, and its generalization across different attack categories remained unexplored. More broadly, existing studies using 5G-NIDD have not provided a comprehensive supervised learning evaluation across all attack scenarios.

Despite the growing interest in the 5G-NIDD dataset, most existing research has predominantly relied on unsupervised learning methods, often focusing on limited subsets of the data or specific attack scenarios. Comprehensive evaluations using supervised machine learning algorithms remain scarce, particularly those leveraging the full feature set of 5G-NIDD. This gap leaves the comparative performance of supervised techniques in terms of accuracy, precision, recall and scalability largely unexplored. Thus, while prior research has advanced the field through unsupervised and federated approaches, the literature still lacks a systematic supervised learning analysis that addresses both detection performance and generalization capability under distribution shifts. In this study, we address this limitation by systematically applying and benchmarking multiple supervised learning algorithms to evaluate their effectiveness in detecting anomalies in realistic 5G network traffic.

1.2. Aims and Contributions

The literature still lacks a systematic supervised learning evaluation on the full 5G-NIDD dataset, as well as a rigorous cross-dataset analysis to assess generalization capability under distribution shifts. This gap motivates our study, which aims to provide new insights into the effectiveness and limitations of supervised learning approaches for intrusion detection in realistic 5G environments.

In light of these limitations, this study aims to advance the field by utilizing the 5G-NIDD dataset to systematically evaluate four supervised learning algorithms (K-Nearest Neighbors, Support Vector Machines, Logistic Regression, Naive Bayes), to identify both the most accurate and the most computationally efficient model, and to assess their generalization capability across heterogeneous datasets. The selection of KNN, SVM, Logistic Regression, and Naive Bayes ensures coverage of different methodological families. KNN represents instance-based learning, SVM margin-based classification, Logistic Regression linear modeling, and Naive Bayes probabilistic learning. This diversity allows us to evaluate both accuracy and efficiency across complementary approaches, providing a comprehensive supervised learning benchmark for 5G intrusion detection.

Building upon recent contributions in federated learning and unsupervised modeling for 5G security [24,25], this work proposes the following key contributions:

• Full-spectrum evaluation across all subsets of the 5G-NIDD dataset, covering diverse attack types including DoS, port scanning, and other intrusion scenarios.
• Replication and extension of federated learning systems, particularly those based on unsupervised time-series modeling, to validate their effectiveness in realistic 5G settings.
• Evaluation of supervised learning algorithms, including K-Nearest Neighbors, Support Vector Machines, Logistic Regression, and Naive Bayes, under consistent experimental conditions.
• Comparative analysis across benchmark datasets, namely CICIDS2017 and UNSW-NB15.
• Performance benchmarking using multiple evaluation metrics, including precision, accuracy, confusion matrix, and F1-score, to identify robust and scalable detection models for 5G networks.

Through this multi-faceted approach, this study aims to provide deeper insights into the strengths and limitations of various detection strategies and contribute to the development of more resilient and privacy-aware security solutions for next-generation mobile networks.

1.3. Organization

The structure of this paper is as follows: Section 2 introduces the data collection process. The proposed machine learning models are detailed in Section 3, while Section 4 discusses the experimental results. Section 5 concludes the study and outlines future work.

2. Data Collection

In this study, we utilize the 5G-NIDD [24,25,26], a publicly available and fully labeled dataset collected from a realistic 5G testbed. The dataset encompasses a wide range of network traffic scenarios, including both benign and malicious activities such Distributed Packet Forwarding Control Protocol (PFCP) attacks, Distributed Denial of Service (DDoS) attacks (UDP Flood and SYN Flood), and Distributed IP Spoofing attacks. Its rich feature set and high dimensionality render it well suited for assessing both conventional machine learning models [27]. The 5G-NIDD dataset serves as a robust foundation for analyzing anomaly detection algorithms in next-generation mobile networks, enabling a comprehensive and comparative analysis across multiple AI approaches.

5G-NIDD dataset contains 45 features and 1 label column as shown in the following

Table 1. List of extracted features from the network.

Feature Type	Feature Name
ip	ip.flags.df, ip.ttl, ip.len, ip.flags.mf, ip.proto, ip.fragments, ip.fragment, ip.fragment.count
udp	udp.port, udp.length
tcp	tcp.time_delta, tcp.analysis.ack_rtt, tcp.urgent_pointer, tcp.window_size, tcp.port, tcp.ack, tcp.seq, tcp.len, tcp.flags, tcp.ack_raw, tcp.segments, tcp.reassembled.length, tcp.time_relative, tcp.window_size.1, tcp.stream
http	http.request
frame	frame.time_delta, frame.time_relative
gtp	gtp.flags.version, gtp.flags.payload, gtp.ext_hdr.pdu_ses_con.qos_flow_id, gtp.ext_hdr, gtp.ext_hdr.pdu_ses_cont.ppp, gtp.flags,gtp.length, gtp.ext_hdr.pdu_ses_con.pdu_type, gtp.ext_hdr.pdu_ses_cont.rqi, gtp.flags.e, gtp.flags.pn, gtp.ext_hdr.length, gtp.flags.s, gtp.message, gtp.teid, gtp.flags.reserved
label	0 for Normal, 1 for Anomaly/Attack

.

5G-NIDD dataset contains a total of 24,932 records, of which 14,932 are labeled as benign and 10,000 as malicious. This corresponds to $59.89\%$ benign traffic and $40.11\%$ malicious traffic [25].

The data are supplied in a variety of CSV files [26]:

• Train_subset_1.csv and Train_subset_2.csv: These comprise training data and can either be used individually or merged to create a larger training set.
• Test_Data.csv: A test set that consists of all traffic types is used to evaluate the final model.

3. Proposed ML Approaches

In this work, we aim to carry out a comprehensive assessment of four widely adopted supervised classification algorithms, K-Nearest Neighbors , Support Vector Machine, Logistic Regression, and Naive Bayes, using the 5G-NIDD dataset, which offers a realistic and diverse representation of traffic in next-generation mobile networks. These algorithms were selected based on their established effectiveness in network intrusion detection tasks and their complementary strengths in handling high-dimensional, imbalanced, and heterogeneous data. SVM is known for its robustness in separating complex decision boundaries, KNN for its simplicity and adaptability to local data structures, Logistic Regression for its interpretability and scalability, and Naive Bayes for its efficiency and probabilistic modeling. Outcomes of this comparative study offer important perspectives into the suitability of these models for scalable and accurate intrusion detection in 5G environments.

Each algorithm is trained and evaluated using consistent preprocessing steps, including feature selection, normalization, and class balancing. Performance is evaluated employing standard metrics such as detection rate, accuracy and false positive rate. The goal is to identify the most suitable classifier for detecting anomalies in 5G network traffic, based on empirical results and comparative analysis.

3.1. Data Preprocessing

To ensure consistency and model readiness, the following preprocessing steps are performed:

• Data Consolidation: The two training subsets are merged to form a unified training set.
• Cleaning and Validation: Missing entries are accounted for, duplicate records are removed, and data types are verified.
• Feature and Label Separation: The target variable (label) is isolated from the feature set.
• Categorical Encoding: Non-numeric attributes are transformed via Label Encoding or One-Hot Encoding as required.
• Feature Scaling: StandardScaler is applied to normalize feature distributions and improve model convergence.

3.2. Mathematical Formulation of Supervised Learning Models

We present bellow the mathematical foundations of the supervised learning algorithms employed in this study:

K-Nearest Neighbors: A distance based algorithm that adapts well to local data structures. The classification is based on the majority label among the k closest samples, where distance is computed using the Euclidean metric:

$$d(x_i,x_j)=\sqrt{\sum _{k=1}^n{(x_{i,k}-x_{j,k})}^2}.$$

Support Vector Machine: Known for its ability to model complex decision boundaries in high-dimensional spaces. The objective is to maximize the margin between classes by solving

$$\underset{w,b}{min}{\displaystyle \frac{1}{2}}{\parallel w\parallel }^2\mathrm{subject}\mathrm{to}{y}_i(w·x_i+b)\ge 1.$$

Logistic Regression: A linear model valued for its interpretability and scalability. The probability of class membership is modeled using the sigmoid function:

$$P(y=1|x)={\displaystyle \frac{1}{1+e^{-(w·x+b)}}}.$$

Naive Bayes: A probabilistic classifier that is computationally effective and appropriate for discrete features. Classification relies on Bayes’ theorem under the assumption of feature independence:

$$P\left(y\right|x)={\displaystyle \frac{P\left(x\right|y\left)P\right(y)}{P\left(x\right)}}.$$

These formulations provide the theoretical basis for the models’ decision-making processes and allow us to interpret their performance in relation to dataset characteristics [28].

3.3. Performance Evaluation

The performance of the model is evaluated using the Test_Data.csv file and the following metrics:

• Accuracy: Percentage of correct predictions over the total predictions.
• Precision: Ability to avoid false positives.
• Recall: Capacity to correctly identify positive instances.
• F1-Score: The harmonic mean is used to capture the trade-off between precision and recall by a performance metric, especially useful for imbalanced datasets.
• Confusion Matrix: Detailed breakdown of classification outcomes per class.

Comparative analysis across algorithms and configurations identifies the most effective and scalable solution for intrusion detection in 5G networks.

4. Results and Discussion

The experimental framework and results obtained using the proposed supervised machine learning techniques are detailed in this section. It outlines the procedural steps undertaken during the experimentation, describes the setup of the experimental environment, and specifies the evaluation indicators utilized to evaluate the performance of the model. Furthermore, it provides a thorough analysis of the outcomes, highlighting the robustness of the proposed methods compared to existing techniques previously applied to the 5G-NIDD dataset. To assess the robustness and adaptability of our approaches, we extend the evaluation to previous datasets, in particular CICIDS2017, UNSW-NB15. This cross-dataset comparison highlights the generalization capabilities of our models and the relative strength of the 5G-NIDD dataset.

4.1. Experimental Setup

The implementation of the proposed model, along with its initial preprocessing stages, was conducted utilizing Python 3.14-driven frameworks.

All experiments were performed employing the 5G-NIDD dataset. The dataset was generated using the Open5GS core network and UERANSIM (User Equipment RAN Simulator) to emulate user equipment and radio access. This testbed architecture reproduces essential characteristics of modern 5G environments, including high bandwidth, low latency, and heterogeneous service types. Normal traffic traces were collected from scenarios such as video streaming, IoT communication, and web browsing, while malicious traffic was injected through controlled attack simulations. This design ensures that both benign and attack flows reflect realistic operational conditions of 5G networks, thereby validating the dataset’s suitability for intrusion detection research.

The training data comprised merged subsets (Train_subset_1.csv and Train_subset_2.csv) and evaluation was performed on Test_Data.csv. Each classification, SVM, KNN, Naive Bayes, and Logistic Regression, was trained and tested under specific configurations. The parameters for each supervised learning algorithm are summarized in the table below.

The parameters summarized in

Table 2. Parameters for each supervised learning algorithm.

Algorithm	Key Parameters
KNN	k = 5, Distance = Euclidean
SVM	Kernel = RBF, C = 1.0, Gamma = scale, random_state = 42
LR	max_iter = 1000, random_state = 42
NB	Gaussian NB

were selected to ensure both reproducibility and optimal performance across the evaluated models. For the SVM, the RBF kernel was chosen to capture non-linear relationships in the data, with the regularization parameter C and kernel coefficient $\gamma$ set to default values after preliminary validation. The inclusion of random_state = 42 guarantees reproducibility of the experiments. The KNN classifier was configured with $k=5$ and Euclidean distance, providing a balanced trade-off between bias and variance. NB was implemented using the Gaussian assumption, which is well suited for continuous features in the dataset. LR was trained with an increased maximum number of iterations (1000) to ensure convergence, and a fixed random state was applied for reproducibility. These configurations reflect standard practices in intrusion detection research, and cross-validation was applied to them to minimize overfitting and enhance the reliability of the comparative analysis [29,30,31].

The most important features derived from the dataset are depicted in Figure 1 based on their contribution to anomaly detection. These features were identified using feature importance analysis techniques, which rank attributes according to their impact on model performance. The visualization highlights key network parameters such as gtp flags, udp size, flow duration, and protocol type, which play a crucial role in distinguishing normal traffic from malicious activity. This insight supports the selection of relevant inputs for supervised algorithms and enhances the interoperability of the detection process [32].

4.2. Evaluation Metrics

To assess the performance of each classification algorithm, we employed the following standard metrics:

• Accuracy measures the proportion of correctly classified instances:

  $$\mathrm{Accuracy}={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}$$

  where TP denotes true positive, TN denotes true negative, FP denotes false positive, and FN denotes false negative.
• Precision measures the percentage of actual positives among all anticipated positives:

  $$\mathrm{Precision}={\displaystyle \frac{TP}{TP+FP}}$$
• Recall evaluates the percentage of valid positives that were correctly identified:

  $$\mathrm{Recall}={\displaystyle \frac{TP}{TP+FN}}$$
• F1-Score represents the harmonic mean of precision and recall:

  $$\text{F1-Score}=2\times {\displaystyle \frac{\mathrm{Precision}\times \mathrm{Recall}}{\mathrm{Precision}+\mathrm{Recall}}}$$

4.3. Comparative Results and Discussion

This section details the experimental evaluation of four supervised machine learning algorithms KNN, SVM, LR, and NB on the 5G-NIDD dataset. The performance of these models is further compared against two benchmark datasets widely used in network intrusion detection research: UNSW-NB15 and CICIDS2017. Finally, the achieved results are compared with unsupervised methods (Autoencoder and K-Means) from a previous study on the same 5G dataset.

4.3.1. Performance on 5G-NIDD Dataset

Table 3. Evaluation and comparison of results of supervised algorithms on 5G-NIDD dataset.

Model	Accuracy	Precision	Recall	F1-Score
KNN	0.9979	1.00	0.99	0.99
SVM	0.7888	0.39	0.50	0.44
LR	0.8101	0.90	0.55	0.54
NB	0.6652	0.69	0.78	0.64

recaps the performance metrics of all supervised models on the 5G-NIDD dataset.

According to results in Table 3, the KNN algorithm exhibited superior performance with an accuracy of 99.79%, outperforming all other models. Both precision and recall values were close to 1.0, indicating that KNN was capable of accurately distinguishing between normal and anomalous traffic instances with minimal misclassification. This exceptionally high accuracy can be explained by several factors. First, the strong feature separation inherent in the 5G-NIDD dataset allows distance-based classifiers to effectively discriminate between benign and malicious traffic. Second, the homogeneity of attack traffic patterns reinforces neighborhood consistency, thereby favoring KNN. These aspects explain why KNN achieved near-perfect accuracy specifically on 5G-NIDD.

On the other hand, SVM and LR showed moderate accuracies of 78.88% and 81.01%, respectively. Despite their relatively high precision on normal traffic, their recall values for attack instances were substantially lower, suggesting difficulty in generalizing to minority classes.

The NB classifier achieved the lowest overall performance, with an accuracy of 66.52%. This limitation can be attributed to the algorithm’s strong assumption of conditional independence among features, an assumption that seldom holds in the highly correlated and heterogeneous nature of network traffic. Its recall value of 78% indicates that while it correctly identified a reasonable proportion of attack instances, it still missed a significant number of intrusions. This suggests that NB may not be ideal for highly sensitive detection environments where minimizing false negatives is critical, but it could act as a simple baseline model or as part of an ensemble to provide rapid initial detection in resource-constrained settings.

A visual comparison of the accuracy and F1-score achieved by the four supervised algorithms on the 5G-NIDD dataset is shown in Figure 2. It is clear that the results of this figure support the tabulated results and highlights that the KNN algorithm outperforms the others in terms of overall detection performance. This outstanding performance reflects the algorithm’s ability to capture complex non-linear relationships in high-dimensional 5G traffic data. In contrast, SVM and LR obtained moderate scores, indicating that linear models struggled to fully separate normal and anomalous traffic patterns. Although NB achieves the lowest overall accuracy, it still demonstrates a relatively balanced F1-score.

4.3.2. Cross-Dataset Comparison

To evaluate the robustness and generalizability of the models, the same four algorithms were applied to the UNSW-NB15 and CICIDS2017 datasets. The summarized results are reported in

Table 4. Cross-dataset performance comparison of supervised algorithms.

Dataset	Model	Accuracy	Precision	Recall	F1-Score
UNSW-NB15	KNN	0.8267	0.84	0.81	0.82
	SVM	0.7861	0.86	0.76	0.76
	LR	0.7756	0.81	0.76	0.76
	NB	0.7331	0.76	0.71	0.71
CICIDS2017	KNN	0.91	0.46	0.49	0.48
	SVM	0.91	0.46	0.49	0.48
	LR	0.92	0.46	0.50	0.48
	NB	0.92	0.46	0.50	0.48

.

Across all datasets, KNN consistently demonstrated stable and superior performance, confirming its robustness for anomaly detection tasks. On the UNSW-NB15 dataset, KNN achieved an accuracy of 82.67%, outperforming SVM and LR. However, on CICIDS2017 dataset, all models performed similarly with around 91–92% accuracy but extremely low recall for attack instances, suggesting strong class imbalance or inadequate representation of anomalies in the test sample.

These findings indicate that while the algorithms maintain high overall accuracy on balanced datasets (5G-NIDD, UNSW-NB15), their ability to detect rare intrusions (minority class) may degrade significantly under highly imbalanced conditions, as observed in CICIDS2017.

In Figure 3, a comparison of the performance of the same supervised models across three different datasets, 5G-NIDD, UNSW-NB15, and CICIDS2017, is shown. The results demonstrate that KNN consistently provides the best accuracy on all datasets, proving its robustness and adaptability to diverse network traffic distributions. While performance slightly decreased on UNSW-NB15 (82.7%), the model maintained stable detection behavior. However, on the CICIDS2017 dataset, all algorithms achieved high accuracy values (around 0.91–0.92) but with poor recall for attack classes, highlighting a severe class imbalance issue.

For CICIDS2017 and UNSW-NB15 datasets, KNN achieved lower but still competitive performance compared to 5G-NIDD. This difference highlights the impact of dataset characteristics, such as distribution shifts, feature inconsistencies, and attack diversity, on model robustness. While KNN benefits from strong feature separation in 5G-NIDD, its performance is more moderate when applied to heterogeneous traffic conditions in CICIDS2017 and UNSW-NB15. This confirms that the near-perfect accuracy observed on 5G-NIDD is dataset-specific rather than universally applicable, and underscores the importance of cross-dataset evaluation to validate the generalization capability of intrusion detection models.

4.3.3. Comparison with Unsupervised Learning Approaches

To further assess the relative efficiency of supervised versus unsupervised learning methods, results were compared with those obtained from Autoencoder and K-Means algorithms implemented on the same 5G-NIDD dataset [25]. The outcomes are shown in

Table 5. Comparison with unsupervised methods on 5G-NIDD dataset.

Model	Accuracy	Precision	Recall	F1-Score
KNN (Supervised)	0.9979	1.00	0.99	0.99
K-Means (Unsupervised)	0.92	0.94	0.78	0.85
Autoencoder (Unsupervised)	0.67	0.47	0.64	0.54

.

In Table 5, we present a comparison between the supervised KNN model and two unsupervised approaches K-Means and the Autoencoder, on the 5G-NIDD dataset. The results reveal a clear performance gap in favor of the supervised method. The KNN classifier attained the best performance across all metrics, with an accuracy of 99.79% and an F1-score of 0.99, indicating near-perfect detection of both normal and attack traffic.

Among the unsupervised models, K-Means obtained a reasonable accuracy of 92% and a precision of 0.94, showing that it can correctly identify most attacks it flags; however, its recall (0.78) indicates that a significant portion of intrusions remain undetected. The Autoencoder, in contrast, achieved a low precision (0.47) and accuracy (67%), suggesting that it produces a considerable number of false alarms.

These results confirm that supervised algorithms, particularly KNN, significantly outperform unsupervised methods in precision, recall and F1-score when sufficient labeled samples exist. Nevertheless, unsupervised methods remain essential alternatives in scenarios where labels are unavailable or costly to obtain.

Figure 4 contrasts the outcomes of the most effective supervised model (KNN) with two unsupervised approaches (Autoencoder and K-Means) on the 5G-NIDD dataset. As illustrated, KNN achieves almost perfect detection performance, while the Autoencoder and K-Means exhibit substantially lower accuracy and F1-scores. This comparison emphasizes the significant advantage of supervised learning in the presence of labeled data, whereas unsupervised methods remain valuable alternatives for zero-day attacks or situations where manual labeling is impractical. Overall, these findings highlight the complementarity between the two paradigms and suggest that future 5G anomaly detection systems could benefit from hybrid or semi-supervised architectures that combine their strengths.

4.3.4. Discussion

Overall, the experimental findings demonstrate that KNN offers the most reliable and balanced performance across all datasets, followed by LR, SVM, and NB. The superior results of KNN can be attributed to its instance-based learning mechanism, which effectively captures the non-linear boundaries typical of 5G network traffic patterns.

However, the model’s computational complexity and sensitivity to large-scale data may limit real-time applicability. In contrast, SVM and Logistic Regression, though less accurate, provide faster inference, increasing their suitability for deployment in 5G environments with limited resources.

The cross-dataset evaluation also emphasizes the strong dependency between model performance and dataset characteristics—especially class balance, feature diversity, and traffic distribution—highlighting the need for adaptive detection frameworks that can standardize across heterogeneous 5G network environments.

Figure 5 illustrates the confusion matrix of the KNN classifier on the 5G-NIDD dataset. The model correctly identified almost all normal and attack samples, where the number of false negatives is eight and the number of false positives is zero. This confirms the model’s high reliability and precision for real-time anomaly detection in 5G environments. The diagonal dominance in the matrix visually supports the quantitative metrics reported earlier.

4.4. Practical Computational Cost Analysis

While detection performance is essential, practical deployment of intrusion detection systems in 5G networks also requires computational efficiency. In this study, we therefore analyze the training and inference behavior of the evaluated supervised models in relation to the experimental results obtained on the three datasets.

During experimentation, Logistic Regression and Naive Bayes exhibited the fastest training times due to their linear computational structure. Their convergence was stable across all datasets, even when the number of traffic instances increased. In contrast, SVM required longer training time, particularly on larger datasets, due to the quadratic optimization process involved. KNN, as a lazy learner, did not require explicit training but incurred higher memory usage since the entire training dataset must be stored.

From an inference perspective, which is more critical in real-time 5G intrusion detection, Logistic Regression and Naive Bayes demonstrated the lowest prediction latency. Their decision function relies on linear operations over the feature space, making them suitable for high-throughput traffic environments.

KNN showed increased prediction time proportional to the size of the training set, since distance computation is required for each new traffic instance. This behavior may limit scalability in large-scale 5G scenarios. SVM inference time depended on the number of support vectors; in cross-dataset evaluation, we observed that model generalization sometimes increased this number, slightly impacting prediction efficiency.

Considering both detection performance and computational cost, Logistic Regression provides a favorable trade-off between accuracy, robustness, and real-time feasibility. Naive Bayes offers strong computational efficiency but may sacrifice performance in more complex traffic distributions. SVM achieves competitive detection results but at a higher computational cost, while KNN may become impractical in high-density traffic conditions.

These observations suggest that linear models are more suitable for scalable 5G intrusion detection systems, especially when deployment constraints require low-latency decision-making.

5. Conclusions

This study presented a comparative evaluation of supervised machine learning models for intrusion detection in 5G network environments using multiple benchmark datasets, including 5G-NIDD, CICIDS2017, and UNSW-NB15. The experimental results showed that the evaluated models exhibit varying levels of detection performance depending on the dataset characteristics, particularly in terms of accuracy, precision, recall, and F1-score.

The choice of algorithms was motivated by their methodological diversity: K-Nearest Neighbors as an instance-based learner, Support Vector Machines as a margin-based classifier, Logistic Regression as a linear baseline, and Naive Bayes as a probabilistic model. This selection allowed us to systematically compare complementary approaches and highlight their respective strengths and limitations in 5G intrusion detection.

Among the tested approaches, K-Nearest Neighbors consistently achieved the best overall performance across datasets, demonstrating its strong capability in capturing complex patterns in 5G network traffic. In contrast, other models such as Logistic Regression, Support Vector Machine, and Naive Bayes showed more variability in performance, especially under different data distributions. Beyond classification performance, the study also highlighted the importance of computational efficiency and scalability in real-world deployment scenarios. The results indicate that while high detection accuracy is achievable, practical applicability in 5G environments requires a careful trade-off between performance and computational cost. In this context, simpler models such as Logistic Regression offer a balanced compromise between accuracy and efficiency.

Overall, the findings emphasize that robust intrusion detection in 5G networks should not rely solely on predictive accuracy but must also consider generalization capability across datasets and operational constraints.

The study also included comparisons with unsupervised approaches (K-Means) and deep learning models (Autoencoders), providing additional context on how classical supervised methods perform relative to modern approaches.

Future work will focus on developing adaptive and hybrid learning frameworks capable of maintaining high detection performance under dynamic and evolving network conditions. Building on the supervised learning baseline established in this study, future research will also extend the evaluation by incorporating modern deep learning architectures such as Convolutional Neural Networks (CNNs) and Transformers. This combined direction will allow us to explore both the adaptability of hybrid approaches and the advanced representational power of deep learning models, ultimately aiming to design intrusion detection systems that are accurate, scalable, and resilient in real-world 5G environments.