Individual Packet Features are a Risk to Model Generalisation in ML-Based Intrusion Detection

TL;DR

This paper investigates how relying solely on individual packet features in ML-based intrusion detection can lead to overestimated detection performance and poor generalization across datasets, highlighting the need for considering packet interactions.

Contribution

It reveals the limitations of individual packet features and emphasizes the importance of incorporating packet interactions for more robust and generalizable intrusion detection models.

Findings

IPF can produce misleadingly high detection rates

Models based on IPF often fail to generalize across datasets

Packet interactions are crucial for robust intrusion detection

Abstract

Machine learning is increasingly used for intrusion detection in IoT networks. This paper explores the effectiveness of using individual packet features (IPF), which are attributes extracted from a single network packet, such as timing, size, and source-destination information. Through literature review and experiments, we identify the limitations of IPF, showing they can produce misleadingly high detection rates. Our findings emphasize the need for approaches that consider packet interactions for robust intrusion detection. Additionally, we demonstrate that models based on IPF often fail to generalize across datasets, compromising their reliability in diverse IoT environments.