A multi-label network attack detection approach based on two-stage model fusion

The diversification and complexity of network attacks pose a serious challenge to network security and lead to the phenomenon of overlapping attributes of network attack behaviors. In this context, traditional network attack detection methods are limited to single-label learning, which cannot effectively deal with complex and diverse network attacks. To better understand the relation between network attack behaviors and improve the effect of network security protection, we first analyze the well-known network attack datasets (UNSW-NB15 and CCCS-CIC-AndMal-2020) according to the proposed multi-label metrics. Subsequently, we propose a multi-label cyber-attack detection method based on two-stage model fusion. In the first stage, a category is selected based on the analysis of multi-label metrics, and binary classification is performed. In the second stage, the binary labels generated in the first stage are added to the feature space for the multi-label categorization. Experimental results show that the two-stage model fusion method effectively improves the performance of the baseline methods. In addition, we analyze the impact of different categories and binary classification performance for the multi-label detection. The experimental results show that, theoretically, when the binary classification accuracy of Normal and Adware reaches 77% and 95% respectively, the performance of the two-stage multi-label detection method exceeds the state-of-the-art methods. This indicates the effectiveness of the two-stage strategy used in our proposed method for improving the ability of multi-label network attack detection.