Hierarchical Classification for Intrusion Detection System: Effective Design and Empirical Analysis

TL;DR

This paper evaluates hierarchical classification for intrusion detection, showing it reduces attack misclassification as normal traffic compared to flat methods, especially vital for critical systems.

Contribution

It introduces a three-level hierarchical classification model for IDS and empirically compares its performance with flat classification across multiple datasets.

Findings

Hierarchical classification reduces false negatives in attack detection.

No significant difference in overall accuracy between hierarchical and flat methods.

Hierarchical approach better minimizes attacks misclassified as normal traffic.

Abstract

With the increased use of network technologies like Internet of Things (IoT) in many real-world applications, new types of cyberattacks have been emerging. To safeguard critical infrastructures from these emerging threats, it is crucial to deploy an Intrusion Detection System (IDS) that can detect different types of attacks accurately while minimizing false alarms. Machine learning approaches have been used extensively in IDS and they are mainly using flat multi-class classification to differentiate normal traffic and different types of attacks. Though cyberattack types exhibit a hierarchical structure where similar granular attack subtypes can be grouped into more high-level attack types, hierarchical classification approach has not been explored well. In this paper, we investigate the effectiveness of hierarchical classification approach in IDS. We use a three-level hierarchical classification model to classify various network attacks, where the first level classifies benign or attack, the second level classifies coarse high-level attack types, and the third level classifies a granular level attack types. Our empirical results of using 10 different classification algorithms in 10 different datasets show that there is no significant difference in terms of overall classification performance (i.e., detecting normal and different types of attack correctly) of hierarchical and flat classification approaches. However, flat classification approach misclassify attacks as normal whereas hierarchical approach misclassify one type of attack as another attack type. In other words, the hierarchical classification approach significantly minimises attacks from misclassified as normal traffic, which is more important in critical systems.