Hierarchical classification for intrusion detection system: Effective design and empirical analysis

The growing adoption of network technologies, particularly the Internet of Things (IoT), has led to the emergence of new and increasingly complex cyberattacks. To protect critical infrastructure from these evolving threats, it is essential to implement Intrusion Detection Systems (IDS) capable of accurately detecting a wide range of attacks while minimizing false alarms. While machine learning has been widely applied in IDS, most approaches rely on flat multi-class classification to distinguish between normal traffic and various attack types. However, cyberattacks often exhibit a hierarchical structure, where granular attack subtypes can be grouped under broader high-level categories—an aspect largely underexplored in IDS research. In this paper, we investigate the effectiveness of hierarchical classification in the context of IDS. We propose a three-level hierarchical classification model: the first level distinguishes between benign and attack traffic; the second level categorizes coarse-grained attack types; and the third level identifies specific, fine-grained attack subtypes. Our experimental evaluation, conducted using 10 different machine learning classifiers across 10 contemporary IDS datasets, reveals that hierarchical and flat classification approaches achieve comparable performance in terms of overall accuracy, precision, recall, and F1-score. However, flat classifiers are more likely to misclassify attack traffic as normal, whereas the hierarchical approach tends to misclassify one attack type as another. This distinction is critical, as failing to identify an attack altogether poses a greater risk to cybersecurity than incorrectly labeling its type. Thus, our findings highlight the value of hierarchical classification in enhancing the robustness of IDS, especially in environments where minimizing false negatives is paramount.