Flow Exporter Impact on Intelligent Intrusion Detection Systems

TL;DR

This paper demonstrates that using a reliable flow exporter like HERA to process network datasets significantly improves the accuracy and generalization of machine learning models for intrusion detection.

Contribution

It introduces the impact of flow exporters on dataset quality and model performance, highlighting the benefits of using HERA for feature extraction in intrusion detection datasets.

Findings

Models trained on HERA-processed datasets outperform original datasets in accuracy.

Flow generation quality directly influences machine learning model effectiveness.

Improved dataset quality leads to better generalization of intrusion detection models.

Abstract

High-quality datasets are critical for training machine learning models, as inconsistencies in feature generation can hinder the accuracy and reliability of threat detection. For this reason, ensuring the quality of the data in network intrusion detection datasets is important. A key component of this is using reliable tools to generate the flows and features present in the datasets. This paper investigates the impact of flow exporters on the performance and reliability of machine learning models for intrusion detection. Using HERA, a tool designed to export flows and extract features, the raw network packets of two widely used datasets, UNSW-NB15 and CIC-IDS2017, were processed from PCAP files to generate new versions of these datasets. These were compared to the original ones in terms of their influence on the performance of several models, including Random Forest, XGBoost, LightGBM, and Explainable Boosting Machine. The results obtained were significant. Models trained on the HERA version of the datasets consistently outperformed those trained on the original dataset, showing improvements in accuracy and indicating a better generalisation. This highlighted the importance of flow generation in the model's ability to differentiate between benign and malicious traffic.