A Multi-stage Feature Selection and Stacked Ensemble Learning for Efficient Real-time SNMP-based Network Intrusion Detection
Keywords:
Feature Selection, Intrusion Detection System (IDS), Mutual Information (MI), Real-Time Network, Recursive Filtering Elimination (RFE), Simple Network Management Protocol (SNMP), Spearman Correlation Filtering, Stack Ensemble LearningAbstract
The significant increase in the number and types of malicious activities in operational network environments in the recent past is due to the growth in the use of high-speed networks and the rise in the usage of the Internet. Intrusion detection system has, therefore, been one of the critical measures used in safeguarding networking resources and infrastructure. Many of the existing IDSs are challenged with low accuracy and high computational costs. This is mainly due to the type of network traffic data used, most of which are cumbersome, resource-intensive and contain redundant and irrelevant features. Also, single-stage feature selection often fails to handle feature irrelevance and redundancy. To address these issues, this study proposes a multi-stage hybrid feature selection process on the SNMP-MIB data for real-time network intrusion detection. The multi-stage feature selection process involves the application of Mutual Information and the Recursive Filtering Elimination. The combined output of both serves as input for the Spearman Correlation Filtering to obtain an optimal feature set. This was tested on a stack ensemble learning using Random Forest, Support Vector Machine and Gradient Boosting algorithms as base learners with Logistic Regression as the meta-learner. The results showed that the Spearman-filtered feature set outperformed all other methods across all metrics and classes and the ensemble tested with the optimised feature set had the highest accuracy at 98.90% and a Macro-average F1-score of 97.31%, outperforming the best base learner by over 3.4%. It also showed that each classifier benefitted from the multi-stage hybrid feature selection techniques.
References
A. Pinto, L.-C. Herrera, Y. Donoso, and J. A. Gutierrez, “Survey on intrusion detection systems based on machine learning techniques for the protection of critical infrastructure,” Sensors, vol. 23, no. 5, p. 2415, Feb. 2023.
Y. Wang, J. Xi, and T. Cheng, “The overview of database security threats’ solutions: Traditional and machine learning,” Journal of Information Security, vol. 12, no. 1, pp. 34–55, 2021.
N. Mishra and S. Mishra, “A review of machine learning-based intrusion detection system,” EAI Endorsed Transactions on Internet of Things, vol. 10, Mar. 2024.
M. Al-Kasassbeh, G. Al-Naymat, and E. Al-Hawari, “Towards generating realistic SNMP-MIB dataset for network anomaly detection,” International Journal of Computer Science and Information Security, vol. 14, no. 9, pp. 1162–1185, 2016.
Z. Yang et al., “A systematic literature review of methods and datasets for anomaly-based network intrusion detection,” Computers & Security, vol. 116, p. 102675, May 2022.
J. Yu, H. Lee, M.-S. Kim, and D. Park, “Traffic flooding attack detection with SNMP MIB using SVM,” Computer Communications, vol. 31, no. 17, pp. 4212–4219, Nov. 2008.
S. Singh, S. S. Choudhary, and S. Bhavishya, “Feature selection effects on classification algorithms,” International Journal of Engineering Research and Technology, vol. 7, no. 2, Feb. 2018.
V. Bolón-Canedo, N. Sánchez-Maroño, and A. Alonso-Betanzos, “Feature selection for high-dimensional data,” Progress in Artificial Intelligence, vol. 5, no. 2, pp. 65–75, Feb. 2016.
Y. Yin et al., “IGRF-RFE: A hybrid feature selection method for MLP-based network intrusion detection on UNSW-NB15 dataset,” Journal of Big Data, vol. 10, no. 1, Feb. 2023.
V. Jyothsna, V. V. Rama Prasad, and K. Munivara Prasad, “A review of anomaly-based intrusion detection systems,” International Journal of Computer Applications, vol. 28, no. 7, pp. 26–35, Aug. 2011.
M. Torabi, N. I. Udzir, M. T. Abdullah, and R. Yaakob, “A review on feature selection and ensemble techniques for intrusion detection system,” International Journal of Advanced Computer Science and Applications, vol. 12, no. 5, 2021.
D. N. Mhawi, A. Aldallal, and S. Hassan, “Advanced feature-selection-based hybrid ensemble learning algorithms for network intrusion detection systems,” Symmetry, vol. 14, no. 7, p. 1461, Jul. 2022.
G. Al-Naymat, M. Al-Kasassbeh, and E. Al-Hawari, “Exploiting SNMP-MIB data to detect network anomalies using machine learning techniques,” in Proc. SAI Intell. Syst. Conf., Cham, Switzerland: Springer, pp. 991–1004, Sep. 2018.
A. Manna and M. Alkasassbeh, “Detecting network anomalies using machine learning and SNMP-MIB dataset with IP group,” in Proc. 2nd Int. Conf. New Trends Comput. Sci. (ICTCS), pp. 1–5, Oct. 2019.
X. Cheng, “A comprehensive study of feature selection techniques in machine learning models,” Insights in Computer, Signals and Systems, vol. 1, no. 1, pp. 65–78, Nov. 2024.
G. Al-Naymat, A. Hambouz, and M. Al-Kasassbeh, “Evaluating the impact of feature selection methods on SNMP-MIB interface parameters to accurately detect network anomalies,” in Proc. IEEE Int. Symp. Signal Process. Inf. Technol. (ISSPIT), pp. 1–6, Dec. 2019.
A. Hwoij, M. Al-Kasassbeh, and M. Al-Fayoumi, “Detecting network anomalies using rule-based machine learning within SNMP-MIB dataset,” arXiv preprint, 2020.
M. Injadat, A. Moubayed, A. B. Nassif, and A. Shami, “Multi-stage optimized machine learning framework for network intrusion detection,” IEEE Transactions on Network and Service Management, vol. 18, no. 2, 2020.
M. Sarhan, S. Layeghy, N. Moustafa, M. Gallagher, and M. Portmann, “Feature extraction for machine learning-based intrusion detection in IoT networks,” Digital Communications and Networks, vol. 10, no. 1, pp. 205–216, Feb. 2024.
A. M. Alsaffar, M. Nouri-Baygi, and H. M. Zolbanin, “Shielding networks: Enhancing intrusion detection with hybrid feature selection and stack ensemble learning,” Journal of Big Data, vol. 11, no. 1, Sep. 2024.
S. Rysbekov, A. Aitbanov, Z. Abdiakhmetova, and A. Kartbayev, “Advancing network security: A comparative research of machine learning techniques for intrusion detection,” International Journal of Electrical and Computer Engineering, vol. 15, no. 2, pp. 2271–2271, Jan. 2025.
N. V. Chawla, K. W. Bowyer, L. O. Hall, and W. P. Kegelmeyer, “SMOTE: Synthetic minority over-sampling technique,” Journal of Artificial Intelligence Research, vol. 16, pp. 321–357, Jun. 2002.
C. -M. Bao, "Intrusion Detection Based on One-class SVM and SNMP MIB Data," 2009 Fifth International Conference on Information Assurance and Security, Xi'an, China, 2009, pp. 346-349.
