Sequential Binary Classification for Intrusion Detection
Shrihari Vasudevan, Ishan Chokshi, Raaghul Ranganathan, Nachiappan Sundaram
TL;DR
This work tackles severe class imbalance in multi-class intrusion detection datasets by introducing Sequential Binary Classification (SBC), a hierarchical OVAO binarization that trains binary classifiers on progressively smaller data subsets as the majority class is peeled away. SBC is paired with hyperparameter optimization strategies (GS, HGS, pHGS) that bound search spaces using information from earlier stages, yielding substantial reductions in training and tuning time. Empirical results on CICIDS-2017 and UNSW-NB15 show SBC can outperform traditional MCC approaches with sample-weights in terms of average F1 and per-class stability on imbalanced data, though the approach incurs higher inference latency due to its sequential structure. The method is particularly suited for signature-based IDS and can be extended to anomaly-based systems, offering a practical, structure-driven alternative to data-driven imbalance remedies.
Abstract
Network Intrusion Detection Systems (IDS) have become increasingly important as networks become more vulnerable to new and sophisticated attacks. Machine Learning (ML)-based IDS are increasingly seen as the most effective approach to handle this issue. However, IDS datasets suffer from high class imbalance, which impacts the performance of standard ML models. Different from existing data-driven techniques to handling class imbalance, this paper explores a structural approach to handling class imbalance in multi-class classification (MCC) problems. The proposed approach - Sequential Binary Classification (SBC), is a hierarchical cascade of (regular) binary classifiers. Experiments on benchmark IDS datasets demonstrate that the structural approach to handling class-imbalance, as exemplified by SBC, is a viable approach to handling the issue.