Flow Exporter Impact on Intelligent Intrusion Detection Systems
This work addresses data quality issues for researchers and practitioners in network security, but it is incremental as it focuses on tool-specific improvements rather than a fundamental breakthrough.
The paper tackled the problem of inconsistent feature generation in network intrusion detection datasets by reprocessing raw packets with the HERA flow exporter, resulting in models trained on HERA-generated datasets consistently outperforming those on original datasets with improved accuracy and generalization.
High-quality datasets are critical for training machine learning models, as inconsistencies in feature generation can hinder the accuracy and reliability of threat detection. For this reason, ensuring the quality of the data in network intrusion detection datasets is important. A key component of this is using reliable tools to generate the flows and features present in the datasets. This paper investigates the impact of flow exporters on the performance and reliability of machine learning models for intrusion detection. Using HERA, a tool designed to export flows and extract features, the raw network packets of two widely used datasets, UNSW-NB15 and CIC-IDS2017, were processed from PCAP files to generate new versions of these datasets. These were compared to the original ones in terms of their influence on the performance of several models, including Random Forest, XGBoost, LightGBM, and Explainable Boosting Machine. The results obtained were significant. Models trained on the HERA version of the datasets consistently outperformed those trained on the original dataset, showing improvements in accuracy and indicating a better generalisation. This highlighted the importance of flow generation in the model's ability to differentiate between benign and malicious traffic.