ByteStack-ID: Integrated Stacked Model Leveraging Payload Byte Frequency for Grayscale Image-based Network Intrusion Detection

TL;DR

ByteStack-ID tackles packet-level intrusion detection by converting payload byte frequencies into 16×16 grayscale images and integrating a stacked ensemble where 15 one-vs-all base learners share information with an integrated meta-learner. Unlike traditional stacking, the meta-learner is fused into the base learners by attaching dense layers to their second-last representations while freezing the base weights, trained on a dedicated data subset. Empirical results on CIC-IDS2017 show ByteStack-ID achieving superior macro F1 and per-class precision/recall compared to both baselines and state-of-the-art packet-level methods. The approach provides a robust, scalable NIDS solution for IoT-era network security by leveraging rich payload information at the packet level.

Abstract

In the ever-evolving realm of network security, the swift and accurate identification of diverse attack classes within network traffic is of paramount importance. This paper introduces "ByteStack-ID," a pioneering approach tailored for packet-level intrusion detection. At its core, ByteStack-ID leverages grayscale images generated from the frequency distributions of payload data, a groundbreaking technique that greatly enhances the model's ability to discern intricate data patterns. Notably, our approach is exclusively grounded in packet-level information, a departure from conventional Network Intrusion Detection Systems (NIDS) that predominantly rely on flow-based data. While building upon the fundamental concept of stacking methodology, ByteStack-ID diverges from traditional stacking approaches. It seamlessly integrates additional meta learner layers into the concatenated base learners, creating a highly optimized, unified model. Empirical results unequivocally confirm the outstanding effectiveness of the ByteStack-ID framework, consistently outperforming baseline models and state-of-the-art approaches across pivotal performance metrics, including precision, recall, and F1-score. Impressively, our proposed approach achieves an exceptional 81\% macro F1-score in multiclass classification tasks. In a landscape marked by the continuous evolution of network threats, ByteStack-ID emerges as a robust and versatile security solution, relying solely on packet-level information extracted from network traffic data.

Figures (6)

• Figure 1: Pictorial representation of the processing pipeline for generating grayscale images from raw network packets. The calculated packet's payload byte distribution is normalized with respect to the highest frequency within each packet.
• Figure 2: Visualization of grayscale images generated from raw network packets, derived from payload byte frequency distribution. The examples shown are randomly selected for illustration.
• Figure 3: Model architecture of the proposed approach—comprising 15 distinct base learner models, each trained for a specific attack class using a one-vs-all approach. Integrated stacking is achieved through meta learner with additional dense layers integrated into non-trainable concatenated base learners, forming an integrated stacking model.
• Figure 4: Model architecture of the adopted deep concatenated 2D-CNN for base learners—consisting of four blocks with input and output concatenation for enhanced feature extraction.
• Figure 5: Model architecture of the integrated meta learner and its integration with base learners. Green blocks represent additional layers of the meta learner integrated with all base learners, with base learners' weights frozen as non-trainable.