Predicting Cyberattacks with Destination Port Through Various Input Feature Scenario

IF 0.9 Q3 ENGINEERING, MULTIDISCIPLINARY

International Journal of Reliability Quality and Safety Engineering Pub Date : 2022-06-17 DOI:10.1142/s0218539322500036

R. Zuech, John T. Hancock, T. Khoshgoftaar

{"title":"Predicting Cyberattacks with Destination Port Through Various Input Feature Scenario","authors":"R. Zuech, John T. Hancock, T. Khoshgoftaar","doi":"10.1142/s0218539322500036","DOIUrl":null,"url":null,"abstract":"When analyzing cybersecurity datasets with machine learning, researchers commonly need to consider whether or not to include Destination Port as an input feature. We assess the impact of Destination Port as a predictive feature by building predictive models with three different input feature sets and four combinations of web attacks from the CSE-CIC-IDS2018 dataset. First, we use Destination Port as the only (single) input feature to our models. Second, all features (from CSE-CIC-IDS2018) are used without Destination Port to build the models. Third, all features plus (including) Destination Port are used to train and test the models. All three of these feature sets obtain respectable classification results in detecting web attacks with LightGBM and CatBoost classifiers in terms of Area Under the Receiver Operating Characteristic Curve (AUC) scores, with AUC scores exceeding 0.90 for all scenarios. We observe the best classification performance scores when Destination Port is combined with all of the other CSE-CIC-IDS2018 features. Although, classification performance is still respectable when only using Destination Port as the only (single) input feature. Additionally, we validate that Botnet attacks also have respectable AUC with Destination Port as the only input feature to our models. This highlights that practitioners must be mindful of whether or not to include Destination Port as an input feature if it experiences lopsided label distributions as we clearly identify in this study. Our brief survey of existing CSE-CIC-IDS2018 literature also discovered that many studies incorrectly treat Destination Port as a numerical input feature with machine learning models. Destination Port should be treated as a categorical input value to machine learning models, as its values do not represent numerical values which can be used in mathematical equations for the models.","PeriodicalId":45573,"journal":{"name":"International Journal of Reliability Quality and Safety Engineering","volume":"28 1","pages":""},"PeriodicalIF":0.9000,"publicationDate":"2022-06-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Reliability Quality and Safety Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1142/s0218539322500036","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"ENGINEERING, MULTIDISCIPLINARY","Score":null,"Total":0}

引用次数: 0

Abstract

When analyzing cybersecurity datasets with machine learning, researchers commonly need to consider whether or not to include Destination Port as an input feature. We assess the impact of Destination Port as a predictive feature by building predictive models with three different input feature sets and four combinations of web attacks from the CSE-CIC-IDS2018 dataset. First, we use Destination Port as the only (single) input feature to our models. Second, all features (from CSE-CIC-IDS2018) are used without Destination Port to build the models. Third, all features plus (including) Destination Port are used to train and test the models. All three of these feature sets obtain respectable classification results in detecting web attacks with LightGBM and CatBoost classifiers in terms of Area Under the Receiver Operating Characteristic Curve (AUC) scores, with AUC scores exceeding 0.90 for all scenarios. We observe the best classification performance scores when Destination Port is combined with all of the other CSE-CIC-IDS2018 features. Although, classification performance is still respectable when only using Destination Port as the only (single) input feature. Additionally, we validate that Botnet attacks also have respectable AUC with Destination Port as the only input feature to our models. This highlights that practitioners must be mindful of whether or not to include Destination Port as an input feature if it experiences lopsided label distributions as we clearly identify in this study. Our brief survey of existing CSE-CIC-IDS2018 literature also discovered that many studies incorrectly treat Destination Port as a numerical input feature with machine learning models. Destination Port should be treated as a categorical input value to machine learning models, as its values do not represent numerical values which can be used in mathematical equations for the models.

查看原文本刊更多论文

基于不同输入特征场景的目的端口网络攻击预测

在使用机器学习分析网络安全数据集时，研究人员通常需要考虑是否将目的端口作为输入特征。我们通过使用来自CSE-CIC-IDS2018数据集的三种不同输入特征集和四种web攻击组合构建预测模型来评估目的端口作为预测特征的影响。首先，我们使用Destination Port作为模型的唯一(单一)输入特征。其次，所有特征(来自CSE-CIC-IDS2018)都不使用目的端口来构建模型。第三，使用所有特征加上(包括)目的端口来训练和测试模型。在使用LightGBM和CatBoost分类器检测web攻击时，这三个特征集在接收者工作特征曲线下的面积(Area Under the Receiver Operating Characteristic Curve, AUC)得分方面都获得了不错的分类结果，所有场景的AUC得分都超过0.90。当目的端口与所有其他CSE-CIC-IDS2018特征相结合时，我们观察到最佳分类性能分数。尽管如此，当仅使用Destination Port作为唯一(单一)输入特征时，分类性能仍然不错。此外，我们验证了僵尸网络攻击也具有可观的AUC，目的端口作为我们模型的唯一输入特征。这突出表明，如果我们在本研究中清楚地确定的标签分布不平衡，从业者必须注意是否将目的端口作为输入特征包括在内。我们对现有CSE-CIC-IDS2018文献的简要调查还发现，许多研究错误地将目的端口视为带有机器学习模型的数字输入特征。Destination Port应被视为机器学习模型的分类输入值，因为它的值不代表可用于模型数学方程的数值。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

International Journal of Reliability Quality and Safety Engineering ENGINEERING, MULTIDISCIPLINARY-

CiteScore

1.70

自引率

25.00%

发文量

期刊介绍： IJRQSE is a refereed journal focusing on both the theoretical and practical aspects of reliability, quality, and safety in engineering. The journal is intended to cover a broad spectrum of issues in manufacturing, computing, software, aerospace, control, nuclear systems, power systems, communication systems, and electronics. Papers are sought in the theoretical domain as well as in such practical fields as industry and laboratory research. The journal is published quarterly, March, June, September and December. It is intended to bridge the gap between the theoretical experts and practitioners in the academic, scientific, government, and business communities.