Cascaded Multi-Class Network Intrusion Detection With Decision Tree and Self-attentive Model

Network intrusion has become a leading threat to breaching the security of Internet applications. With the re-emergence of artificial intelligence, deep neural networks (DNN) have been widely used for network intrusion detection. However, one main problem with the DNN models is the dependency on sufficient high-quality labeled data to train the model to achieve decent accuracy. DNN models may incur many false predictions on the imbalanced intrusion datasets, especially on the minority classes. While we continue advocating for using machine learning and deep learning for network intrusion detection, we aim at addressing the drawback of existing DNN models by effectively integrating decision tree and feature tokenizer (FT)-transformer. First, the decision tree algorithm is used for the binary classification of regular (normal) traffic and malicious traffic. Second, FT-transformer performs the multi-category classification on that malicious traffic to identify the type of attacking traffic. We conduct the performance evaluation using three publicly available datasets: CIC-IDS 2017, UNSW-NB15, and Kitsune datasets. Experimental results show that among three datasets, the proposed technique achieves the best performance on the CIC-IDS 2017 dataset with the macro precision, recall, and F1-score of 84.6%, 83.6%, and 93.2%, respectively.