Hierarchical classification for intrusion detection system: Effective design and empirical analysis

IF 4.8 3区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Ad Hoc Networks Pub Date : 2025-07-29 DOI:10.1016/j.adhoc.2025.103982

Md. Ashraf Uddin , Sunil Aryal , Mohamed Reda Bouadjenek , Muna Al-Hawawreh , Md. Alamin Talukder

{"title":"Hierarchical classification for intrusion detection system: Effective design and empirical analysis","authors":"Md. Ashraf Uddin , Sunil Aryal , Mohamed Reda Bouadjenek , Muna Al-Hawawreh , Md. Alamin Talukder","doi":"10.1016/j.adhoc.2025.103982","DOIUrl":null,"url":null,"abstract":"<div><div>The growing adoption of network technologies, particularly the Internet of Things (IoT), has led to the emergence of new and increasingly complex cyberattacks. To protect critical infrastructure from these evolving threats, it is essential to implement Intrusion Detection Systems (IDS) capable of accurately detecting a wide range of attacks while minimizing false alarms. While machine learning has been widely applied in IDS, most approaches rely on flat multi-class classification to distinguish between normal traffic and various attack types. However, cyberattacks often exhibit a hierarchical structure, where granular attack subtypes can be grouped under broader high-level categories—an aspect largely underexplored in IDS research. In this paper, we investigate the effectiveness of hierarchical classification in the context of IDS. We propose a three-level hierarchical classification model: the first level distinguishes between benign and attack traffic; the second level categorizes coarse-grained attack types; and the third level identifies specific, fine-grained attack subtypes. Our experimental evaluation, conducted using 10 different machine learning classifiers across 10 contemporary IDS datasets, reveals that hierarchical and flat classification approaches achieve comparable performance in terms of overall accuracy, precision, recall, and F1-score. However, flat classifiers are more likely to misclassify attack traffic as normal, whereas the hierarchical approach tends to misclassify one attack type as another. This distinction is critical, as failing to identify an attack altogether poses a greater risk to cybersecurity than incorrectly labeling its type. Thus, our findings highlight the value of hierarchical classification in enhancing the robustness of IDS, especially in environments where minimizing false negatives is paramount.</div></div>","PeriodicalId":55555,"journal":{"name":"Ad Hoc Networks","volume":"178 ","pages":"Article 103982"},"PeriodicalIF":4.8000,"publicationDate":"2025-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Ad Hoc Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1570870525002306","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The growing adoption of network technologies, particularly the Internet of Things (IoT), has led to the emergence of new and increasingly complex cyberattacks. To protect critical infrastructure from these evolving threats, it is essential to implement Intrusion Detection Systems (IDS) capable of accurately detecting a wide range of attacks while minimizing false alarms. While machine learning has been widely applied in IDS, most approaches rely on flat multi-class classification to distinguish between normal traffic and various attack types. However, cyberattacks often exhibit a hierarchical structure, where granular attack subtypes can be grouped under broader high-level categories—an aspect largely underexplored in IDS research. In this paper, we investigate the effectiveness of hierarchical classification in the context of IDS. We propose a three-level hierarchical classification model: the first level distinguishes between benign and attack traffic; the second level categorizes coarse-grained attack types; and the third level identifies specific, fine-grained attack subtypes. Our experimental evaluation, conducted using 10 different machine learning classifiers across 10 contemporary IDS datasets, reveals that hierarchical and flat classification approaches achieve comparable performance in terms of overall accuracy, precision, recall, and F1-score. However, flat classifiers are more likely to misclassify attack traffic as normal, whereas the hierarchical approach tends to misclassify one attack type as another. This distinction is critical, as failing to identify an attack altogether poses a greater risk to cybersecurity than incorrectly labeling its type. Thus, our findings highlight the value of hierarchical classification in enhancing the robustness of IDS, especially in environments where minimizing false negatives is paramount.

查看原文本刊更多论文

入侵检测系统的分层分类：有效设计与实证分析

网络技术的日益普及，特别是物联网（IoT），导致了新的和越来越复杂的网络攻击的出现。为了保护关键基础设施免受这些不断演变的威胁，必须实施能够准确检测各种攻击并同时最大限度地减少假警报的入侵检测系统（IDS）。虽然机器学习在IDS中得到了广泛的应用，但大多数方法依赖于扁平的多类分类来区分正常流量和各种攻击类型。然而，网络攻击通常表现出层次结构，其中颗粒攻击子类型可以分组在更广泛的高级类别下-这在IDS研究中很大程度上未被探索。在本文中，我们研究了层次分类在入侵检测环境下的有效性。提出了一种三级分级分类模型：第一级区分良性流量和攻击流量；第二层对粗粒度的攻击类型进行分类；第三层识别特定的、细粒度的攻击子类型。我们在10个当代IDS数据集上使用10种不同的机器学习分类器进行了实验评估，结果表明，分层和扁平分类方法在总体准确性、精度、召回率和f1分数方面取得了相当的性能。然而，扁平分类器更有可能将攻击流量错误地分类为正常，而分层方法则倾向于将一种攻击类型错误地分类为另一种攻击类型。这种区别是至关重要的，因为不能完全识别攻击比错误地标记攻击类型会给网络安全带来更大的风险。因此，我们的研究结果强调了分层分类在增强IDS稳健性方面的价值，特别是在最小化假阴性至关重要的环境中。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Ad Hoc Networks 工程技术-电信学

CiteScore

10.20

自引率

4.20%

发文量

131

审稿时长

4.8 months

期刊介绍： The Ad Hoc Networks is an international and archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in ad hoc and sensor networking areas. The Ad Hoc Networks considers original, high quality and unpublished contributions addressing all aspects of ad hoc and sensor networks. Specific areas of interest include, but are not limited to: Mobile and Wireless Ad Hoc Networks Sensor Networks Wireless Local and Personal Area Networks Home Networks Ad Hoc Networks of Autonomous Intelligent Systems Novel Architectures for Ad Hoc and Sensor Networks Self-organizing Network Architectures and Protocols Transport Layer Protocols Routing protocols (unicast, multicast, geocast, etc.) Media Access Control Techniques Error Control Schemes Power-Aware, Low-Power and Energy-Efficient Designs Synchronization and Scheduling Issues Mobility Management Mobility-Tolerant Communication Protocols Location Tracking and Location-based Services Resource and Information Management Security and Fault-Tolerance Issues Hardware and Software Platforms, Systems, and Testbeds Experimental and Prototype Results Quality-of-Service Issues Cross-Layer Interactions Scalability Issues Performance Analysis and Simulation of Protocols.