Table of Contents
Fetching ...

Cyber Security Data Science: Machine Learning Methods and their Performance on Imbalanced Datasets

Mateo Lopez-Ledezma, Gissel Velarde

TL;DR

This work tackles imbalanced binary classification in cybersecurity by comparing six ML classifiers and several imbalance-handling techniques on two representative fraud-detection datasets. It employs three experiments to assess individual classifiers, sampling-based balance methods, and Self-Paced Ensembling with varying base classifiers, using 5-fold stratified CV and F1 optimization. Key findings show XGBoost and Random Forest are robust across datasets, sampling techniques have mixed effects (often improving recall at the expense of precision), and Self-Paced Ensembling can boost precision but increases training time, with dataset-specific best configurations. The results underscore the need to tailor model choice and imbalance strategies to each cybersecurity dataset and application, rather than relying on a single best approach. This provides practical guidance for building automated, scalable anomaly, fraud, intrusion, or malware detection systems under extreme class imbalance.

Abstract

Cybersecurity has become essential worldwide and at all levels, concerning individuals, institutions, and governments. A basic principle in cybersecurity is to be always alert. Therefore, automation is imperative in processes where the volume of daily operations is large. Several cybersecurity applications can be addressed as binary classification problems, including anomaly detection, fraud detection, intrusion detection, spam detection, or malware detection. We present three experiments. In the first experiment, we evaluate single classifiers including Random Forests, Light Gradient Boosting Machine, eXtreme Gradient Boosting, Logistic Regression, Decision Tree, and Gradient Boosting Decision Tree. In the second experiment, we test different sampling techniques including over-sampling, under-sampling, Synthetic Minority Over-sampling Technique, and Self-Paced Ensembling. In the last experiment, we evaluate Self-Paced Ensembling and its number of base classifiers. We found that imbalance learning techniques had positive and negative effects, as reported in related studies. Thus, these techniques should be applied with caution. Besides, we found different best performers for each dataset. Therefore, we recommend testing single classifiers and imbalance learning techniques for each new dataset and application involving imbalanced datasets as is the case in several cyber security applications.

Cyber Security Data Science: Machine Learning Methods and their Performance on Imbalanced Datasets

TL;DR

This work tackles imbalanced binary classification in cybersecurity by comparing six ML classifiers and several imbalance-handling techniques on two representative fraud-detection datasets. It employs three experiments to assess individual classifiers, sampling-based balance methods, and Self-Paced Ensembling with varying base classifiers, using 5-fold stratified CV and F1 optimization. Key findings show XGBoost and Random Forest are robust across datasets, sampling techniques have mixed effects (often improving recall at the expense of precision), and Self-Paced Ensembling can boost precision but increases training time, with dataset-specific best configurations. The results underscore the need to tailor model choice and imbalance strategies to each cybersecurity dataset and application, rather than relying on a single best approach. This provides practical guidance for building automated, scalable anomaly, fraud, intrusion, or malware detection systems under extreme class imbalance.

Abstract

Cybersecurity has become essential worldwide and at all levels, concerning individuals, institutions, and governments. A basic principle in cybersecurity is to be always alert. Therefore, automation is imperative in processes where the volume of daily operations is large. Several cybersecurity applications can be addressed as binary classification problems, including anomaly detection, fraud detection, intrusion detection, spam detection, or malware detection. We present three experiments. In the first experiment, we evaluate single classifiers including Random Forests, Light Gradient Boosting Machine, eXtreme Gradient Boosting, Logistic Regression, Decision Tree, and Gradient Boosting Decision Tree. In the second experiment, we test different sampling techniques including over-sampling, under-sampling, Synthetic Minority Over-sampling Technique, and Self-Paced Ensembling. In the last experiment, we evaluate Self-Paced Ensembling and its number of base classifiers. We found that imbalance learning techniques had positive and negative effects, as reported in related studies. Thus, these techniques should be applied with caution. Besides, we found different best performers for each dataset. Therefore, we recommend testing single classifiers and imbalance learning techniques for each new dataset and application involving imbalanced datasets as is the case in several cyber security applications.
Paper Structure (12 sections, 5 figures, 5 tables)

This paper contains 12 sections, 5 figures, 5 tables.

Figures (5)

  • Figure 1: A schematic representation of the method.
  • Figure 2: Experiment 1. Performance of individual classifiers evaluated over Precision, Recall, and F1. The upper row of figures corresponds to the results on Credit Card. The lower row corresponds to the results on PaySim.
  • Figure 3: Experiment 2. Effect of sampling techniques: No Sampling, Over-Sampling, Under-Sampling, and SMOTE. Evaluation over Precision, Recall, and F1. Blue, orange, green, and red, marked as (New), correspond to optimising classifiers using the resampled training set. Purple, brown, pink, and grey, marked as (Old), correspond to using the parameters found in Experiment 1 and retraining with the resampled dataset. The upper row of figures corresponds to the results on Credit Card. The lower row corresponds to the results on PaySim.
  • Figure 4: Experiment 3. SPE and the number of base classifiers (N = 10, 20, 50) evaluated over Precision, Recall, and F1. The upper row of figures corresponds to the results on Credit Card. The lower row corresponds to the results on PaySim.
  • Figure 5: Execution time (minutes:seconds) for a single run including no-sampling, sampling or ensembling when model training. Execution on Google Colab.