ENIXMA: ENsemble of EXplainable Methods for detecting network Attack

Document Type : Original Article


School of Computer Engineering, Iran University of Science and Technology, Tehran, Iran


The Internet has become an integral societal component, with its accessibility being imperative. However, malicious actors strive to disrupt internet services and exploit service providers. Countering such challenges necessitates robust methods for identifying network attacks. Yet, prevailing approaches often grapple with compromised precision and limited interpretability. In this paper, we introduce a pioneering solution named ENIXMA, which harnesses a fusion of machine learning classifiers to enhance attack identification. We validate ENIXMA using the CICDDoS2019 dataset. Our approach achieves a remarkable 90% increase in attack detection precision on the balanced CICDDoS2019 dataset, signifying a substantial advancement compared to antecedent methodologies that registered a mere 3% precision gain. We employ diverse preprocessing and normalization techniques, including z-score, to refine the data. To surmount interpretability challenges, ENIXMA employs SHAP, LIME, and decision tree methods to pinpoint pivotal features in attack detection. Additionally, we scrutinize pivotal scenarios within the decision tree. Notably, ENIXMA not only attains elevated precision and interpretability but also showcases expedited performance in contrast to prior techniques.


Main Subjects

[1]   M. Aamir and S. M. Ali Zaidi, “Clustering based semi-supervised machine learning for DDoS attack classification,” Journal of King Saud University - Computer and Information Sciences, vol. 33, no. 4, May 2021, doi: 10.1016/j.jksuci.2019.02.003.
[2]   S. Zavrak and M. Iskefiyeli, “Anomaly-Based Intrusion Detection From Network Flow Features Using Variational Autoencoder,” IEEE Access, vol. 8, 2020, doi: 10.1109/ACCESS.2020.3001350.
[3]   R. Bhatia, R. Sharma, and A. Guleria, “Anomaly Detection Systems Using IP Flows: A Review,” 2021. doi: 10.1007/978-981-16-0235-1_80.
[4]   M. M. Hassan, A. Gumaei, A. Alsanad, M. Alrubaian, and G. Fortino, “A hybrid deep learning model for efficient intrusion detection in big data environment,” Information Sciences, vol. 513, Mar. 2020, doi: 10.1016/j.ins.2019.10.069.
[5]   S.-T. Chiu and F.-Y. Leu, “Detecting DoS and DDoS Attacks by Using CuSum Algorithm in 5G Networks,” 2021. doi: 10.1007/978-3-030-57811-4_1.
[6]   M. Nooribakhsh and M. Mollamotalebi, “A review on statistical approaches for anomaly detection in DDoS attacks,” Information Security Journal: A Global Perspective, vol. 29, no. 3, May 2020, doi: 10.1080/19393555.2020.1717019.
[7]   S. Hosseini and M. Azizi, “The hybrid technique for DDoS detection with supervised learning algorithms,” Computer Networks, vol. 158, Jul. 2019, doi: 10.1016/j.comnet.2019.04.027.
[8]   M. Du, N. Liu, and X. Hu, “Techniques for interpretable machine learning,” Commun. ACM, vol. 63, no. 1, pp. 68–77, 2020, doi: 10.1145/3359786.
[9]   C. Yin, Y. Zhu, J. Fei, and X. He, “A Deep Learning Approach for Intrusion Detection Using Recurrent Neural Networks,” IEEE Access, vol. 5, pp. 21954–21961, Oct. 2017, doi: 10.1109/ACCESS.2017.2762418.
[10] M. M. Hassan, A. Gumaei, A. Alsanad, M. Alrubaian, and G. Fortino, “A hybrid deep learning model for efficient intrusion detection in big data environment,” Information Sciences, vol. 513, pp. 386–396, Mar. 2020, doi: 10.1016/j.ins.2019.10.069.
[11] A. Girma, M. Garuba, Jiang Li, and Chunmei Liu, “Analysis of DDoS Attacks and an Introduction of a Hybrid Statistical Model to Detect DDoS Attacks on Cloud Computing Environment,” Apr. 2015. doi: 10.1109/ITNG.2015.40.
[12] R. B. Blažek, H. Kim, B. Rozovskii, and A. Tartakovsky, “A novel approach to detection of ‘denial-of-service’ attacks via adaptive sequential and batch-sequential change-point detection methods,” 2001.
[13] S. R. Gaddam, V. v Phoha, and K. S. Balagani, “K-Means+ID3: A Novel Method for Supervised Anomaly Detection by Cascading K-Means Clustering and ID3 Decision Tree Learning Methods.”
[14] Hoai-Vu Nguyen and Yongsun Choi, “Proactive Detection of DDoS Attacks Utilizing k-NN Classifier in an Anti-DDos Framework,” World Academy of Science, Engineering and Technology , 2010.
[15] A. Lazarevic, L. Ertoz, V. Kumar, A. Ozgur, and J. Srivastava, “A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection,” May 2003. doi: 10.1137/1.9781611972733.3.
[16] C.-K. Han and H.-K. Choi, “Effective discovery of attacks using entropy of packet dynamics,” IEEE Network, vol. 23, no. 5, Sep. 2009, doi: 10.1109/MNET.2009.5274916.
[17] C. Di Francescomarino and C. Ghidini, “Predictive Process Monitoring,” in Lecture Notes in Business Information Processing, 2022, vol. 448, pp. 320–346. doi: 10.1007/978-3-031-08848-3_10.
[18] W. Rizzi, C. Di Francescomarino, and F. M. Maggi, “Explainability in predictive process monitoring: When understanding helps improving,” in Lecture Notes in Business Information Processing, 2020, vol. 392 LNBIP, pp. 141–158. doi: 10.1007/978-3-030-58638-6_9.
[19] R. Sindhgatta, C. Ouyang, and C. Moreira, “Exploring interpretability for predictive process analytics,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2020, vol. 12571 LNCS, pp. 439–447. doi: 10.1007/978-3-030-65310-1_31.
[20] D. Adi and N. Nurdin, “Explainable Artificial Intelligence (XAI) towards Model Personality in NLP task,” IPTEK J. Eng., vol. 7, no. 1, p. 11, 2021, doi: 10.12962/j23378557.v7i1.a8989.
[21] I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, “Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy,” in Proc. 53rd International Carnahan Conference on Security Technology, Chennai, India, 2019.
[22] W. E. Marcilio and D. M. Eler, “From explanations to feature selection: Assessing SHAP values as feature selection mechanism,” in Proceedings - 2020 33rd SIBGRAPI Conference on Graphics, Patterns and Images, SIBGRAPI 2020, 2020, pp. 340–347. doi: 10.1109/SIBGRAPI51738.2020.00053..
[23] Mirkovic, Jelena, Gregory Prier, and Peter Reiher. "Attacking DDoS at the source." 10th IEEE International Conference on Network Protocols, 2002. Proceedings.. IEEE, 2002.
[24] J. Mirkovic, G. Prier, and P. Reiher, “Source-end DDoS defense,” in Second IEEE International Symposium on Network Computing and Applications, 2003. NCA 2003., pp. 171–178. doi: 10.1109/NCA.2003.1201153.
[25] S. I. Ao and International Association of Engineers., International MultiConference of Engineers and Computer Scientists : IMECS 2009 : 18-20 March, 2009, Regal Kowloon Hotel, Kowloon, Hong Kong. Newswood Ltd., 2009.
[26] X. Liang and T. Znati, “On the performance of intelligent techniques for intensive and stealthy DDos detection,” Computer Networks, vol. 164, Dec. 2019, doi: 10.1016/j.comnet.2019.106906.
[27] X. Wu et al., “Top 10 algorithms in data mining,” Knowledge and Information Systems, vol. 14, no. 1, Jan. 2008, doi: 10.1007/s10115-007-0114-2.
[28] D. Hu, P. Hong, and Y. Chen, “FADM: DDoS Flooding Attack Detection and Mitigation System in Software-Defined Networking,” Dec. 2017. doi: 10.1109/GLOCOM.2017.8254023.
[29] Z. Xie, W. Dong, J. Liu, H. Liu, and D. Li, “Tahoe,” in Proceedings of the Sixteenth European Conference on Computer Systems, Apr. 2021, pp. 426–440. doi: 10.1145/3447786.3456251.
[30] B. Charbuty and A. Abdulazeez, “Classification Based on Decision Tree Algorithm for Machine Learning,” Journal of Applied Science and Technology Trends, vol. 2, no. 01, pp. 20–28, Mar. 2021, doi: 10.38094/jastt20165.
[31] S. K. Murthy, “Automatic Construction of Decision Trees from Data: A Multi-Disciplinary Survey,” Data Mining and Knowledge Discovery, vol. 2, no. 4, 1998, doi: 10.1023/A:1009744630224.
[32] H. Kousar, M. M. Mulla, P. Shettar, and D. G. Narayan, “Detection of DDoS Attacks in Software Defined Network using Decision Tree,” in 2021 10th IEEE International Conference on Communication Systems and Network Technologies (CSNT), Jun. 2021, pp. 783–788. doi: 10.1109/CSNT51715.2021.9509634.
[33] Gao, W. and Morris, T.H., 2014. On cyber attacks and signature based intrusion detection for modbus based industrial control systems. Journal of Digital Forensics, Security and Law, 9(1), p.3.