Enhancing Network Intrusion Detection Systems through Cost-Sensitive Ensemble Learning with the CS-Forest Approach for Accurate Detection of Minority-Class Attacks

preprint OA: closed
Full text JSON View at publisher

Abstract

Abstract The growing complexity and number of cyberattacks make it necessary to have sophisticated security mechanisms to defend computer networks. Intrusion Detection Systems (IDS) play a crucial role in observing network traffic and detecting malicious behavior. However, conventional IDS tend to perform poorly in the detection of minority-class attacks like User-to-Root (U2R) and Remote-to-Local (R2L) because datasets like NSL-KDD are class-imbalanced. This imbalance results in high false-positive and false-negative rates, weakening the performance of the IDS. To meet these challenges, this research presents a new Cost-Sensitive Forest (CS-Forest) model that combines cost-sensitive learning and ensemble decision tree approaches. The CS-Forest model gives higher misclassification costs to minority classes to increase the identification of underrepresented attacks. It is tested on the NSL-KDD dataset, where the CS-Forest model achieved 87.41% accuracy, higher than standard classifiers like Average One Dependency Estimator (A1DE), K-Nearest Neighbor (KNN), Naïve Bayes (NB), Random Forest (RF), and Support Vector Machine (SVM). The design of the model lowers false positives and negatives very efficiently, showing its strength and effectiveness in strengthening network security by identifying infrequent intrusion attacks more efficiently.
Full text 177,388 characters · extracted from preprint-html · click to expand
Enhancing Network Intrusion Detection Systems through Cost-Sensitive Ensemble Learning with the CS-Forest Approach for Accurate Detection of Minority-Class Attacks | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Article Enhancing Network Intrusion Detection Systems through Cost-Sensitive Ensemble Learning with the CS-Forest Approach for Accurate Detection of Minority-Class Attacks Muhammad Binsawad This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-7187958/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract The growing complexity and number of cyberattacks make it necessary to have sophisticated security mechanisms to defend computer networks. Intrusion Detection Systems (IDS) play a crucial role in observing network traffic and detecting malicious behavior. However, conventional IDS tend to perform poorly in the detection of minority-class attacks like User-to-Root (U2R) and Remote-to-Local (R2L) because datasets like NSL-KDD are class-imbalanced. This imbalance results in high false-positive and false-negative rates, weakening the performance of the IDS. To meet these challenges, this research presents a new Cost-Sensitive Forest (CS-Forest) model that combines cost-sensitive learning and ensemble decision tree approaches. The CS-Forest model gives higher misclassification costs to minority classes to increase the identification of underrepresented attacks. It is tested on the NSL-KDD dataset, where the CS-Forest model achieved 87.41% accuracy, higher than standard classifiers like Average One Dependency Estimator (A1DE), K-Nearest Neighbor (KNN), Naïve Bayes (NB), Random Forest (RF), and Support Vector Machine (SVM). The design of the model lowers false positives and negatives very efficiently, showing its strength and effectiveness in strengthening network security by identifying infrequent intrusion attacks more efficiently. Physical sciences/Engineering Physical sciences/Mathematics and computing Intrusion Detection System (IDS) CS-Forest Machine Learning Network Security Attack Classification Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 1. Introduction The increasing susceptibility of Internet computer networks to security risks necessitates sensible and timely security measures. This is evident because many attackers focus on sensitive information, which attacks are designed to steal, modify, or destroy such information. Intrusions occur when an attacker gains unauthorized access to a system and transmits malicious packets, whereas attacks are unauthorized actions in the network or the transfer of malicious data (Amru et al. 2024). These are user errors, configuration mistakes, or bugs in software; in addition, malicious attackers can exploit multiple system weaknesses for more complex attacks. With global networks hosting vast online services and big servers, these systems become attractive targets for attackers. Effective intrusion detection systems (IDS) are therefore important to protect such networks. According to the 2020 Trustwave Global Security Report (T. Holdings, 2025), 50 percent of corporate networks had encounters with security incidents involving phishing and social engineering, while further impacts were incurred on e-commerce at 22%, cloud systems at 20%, and point-of-sale systems at 5%. In 2019, external activities were associated with 86% of intrusion events (Talukder et al. 2023). IDS can be categorized as network-based (NIDS) or host-based (HIDS). NIDS monitors network traffic and connected devices to detect intrusions, while HIDS analyzes activities on individual devices, such as system calls, file modifications, and application logs (Satilmiş et al. 2024). IDS can also be classified by their analysis type: signature-based (SIDS) or anomaly-based (AIDS). SIDS relies on predefined signatures to identify threats, requiring an updated database of known attack patterns (Joraviya et al. 2024). Wherein, AIDS models normal system behavior and alerts deviations beyond the established thresholds or when the behavior seems anomalous against learned norms. Comparing SIDS with anomaly-based IDS, it may be emphasized that while it effectively detects known threats through identifiable malware patterns, SIDS is inefficient with unknown and unpredictable attacks. Anomaly-based IDS, on the other hand, can determine unknown malware by evaluating data against learned behaviors and flagging suspicious activity (VeeraKumaran). The role of artificial intelligence (AI), especially machine learning (ML) and deep learning (DL), in IDS has increased quite prominently to allow intrusion detection. Advanced techniques by attackers, however, create some problems in network protection. Having the potential to infer patterns straight from specified inputs without any concrete algorithm (Alamin Talukder et al. 2024; Talukder et al. 2024), gives ML a very high usage in the development of IDS. However, managing large and ever-growing data sets remains an open issue in ML, data mining, and text mining (Bertoli et al. 2021; Apruzzese et al. 2022). In the context of internet-connected systems, ML-based IDSs are welcomed in terms of adaptation and anomaly modes of detection, but must evolve rapidly to combat emerging security threats. This research proposes a new intrusion detection model, Cost-Sensitive Forest (CS-Forest), that combines ensemble learning through Random Forests with cost-sensitive learning concepts to improve the identification of rare and minority-class attacks. Tested on the NSL-KDD dataset, the CS-Forest model shows better performance compared to renowned machine learning models, such as Average One Dependency Estimator (A1DE), K-nearest Neighbor (KNN), Naïve Bayes (NB), Support Vector Machine (SVM), and traditional Random Forest (RF). Performance is evaluated based on key performance metrics like Kappa Statistics (KS), Mean Absolute Error (MAE), precision, recall, F-measure, Mathew's Correlation Coefficient (MCC), and accuracy. The model reduces the false positives and false negatives efficiently while retaining good overall detection ability, which helps in the development of more robust and efficient intrusion detection systems. The main objectives of this research study are to: Create a new cost-sensitive ensemble model (CS-Forest) specific to NIDS, which effectively solves the class imbalance issue prevalent in intrusion detection data. Improve the detection accuracy of minority-class intrusions by incorporating cost-sensitive learning principles into decision tree building, thus minimizing false negatives and enhancing sensitivity to infrequent attack patterns. Compare the CS-Forest model proposed here with the standard classifiers like RF, KNN, A1DE, NB, and SVM using various evaluation metrics like accuracy, precision, recall, F-measure, KS-statistic, MAE, MCC, TPR, and FPR. Prove the practical applicability of the CS-Forest model by verifying its performance on the NSL-KDD dataset, highlighting its superiority in intrusion detection with high accuracy and reliability and low false alarms. This research makes several contributions to NID research. First, it proposes a new cost-sensitive ensemble learning model, CS-Forest, that is particularly aimed at handling the class imbalance issue prevalent in intrusion detection data sets. By using cost-sensitive learning techniques like weighted sampling and adjusted split criteria, the model effectively enhances minority-class intrusion detection, which tends to be ignored by conventional classifiers. Secondly, the CS-Forest model shows better performance on a broad range of evaluation measures such as KS-statistic, MCC, accuracy, precision, recall, F-measure, TPR, and FPR, thus proving its reliability and robustness in detecting both frequent and rare attack types. Third, the research presents a thorough comparative study against traditional models such as RF, KNN, A1DE, NB, and SVM, emphasizing the substantial gains achieved by CS-Forest in predictive accuracy as well as false positive reduction. Moreover, the model has a robust balance between classification stability and computational cost, which makes it deployable in real-time and resource-limited settings. Lastly, the study emphasizes the applicability of applying cost-sensitive learning in actual NIDS, providing a scalable and flexible solution to augment cybersecurity infrastructures. The rest of this study is organized as follows: Section 2, related literature review; Section 3, proposed methodology; Section 4, analysis and discussion of the results; and Section 5, conclusion of the study. 2. Literature Study In recent years, researchers have become more interested in the amalgamation of ML techniques and intrusion detection systems for improved network attack detection. For example, the authors of (Amor et al. 2004) discuss how the Naive Bayes algorithm is a very effective technique at detecting network anomalies if pitted against the traditional decision tree approach commonly used in ML. Similarly, work in (Tao et al. 2018) implemented a support vector machine with the genetic algorithm for optimization of feature selection parameter tuning and weighing. This eventually enhances network attack accuracy. In (Ren et al. 2019), a multi-level approach utilizes the random forest model; therefore, better differentiation of anomalous network behaviors will be achieved. Ref. (Shapoorifard and Shamsinejad 2017) presented a K-means clustering implementation, which is used in improving the classification of KNN. In addition, a new approach proposed in (Kim et al. 2014) is presented. Here, network data was divided into subsets by using C4.5 decision tree algorithms and applying multiple SVM models on subsets, and the reduction in computational complexity and detection of unknown attacks improved many times. Typically, traditional approaches to ML need huge feature engineering, which is computationally expensive and would limit the ability to detect simple deep features. To address these challenges, many researchers are shifting towards DL methods in hopes of being able to directly input network traffic data into models and bypass the feature selection phase. For example, the authors in (Zhao et al. 2017) propose a model that combines deep belief networks (DBNs) with probabilistic neural networks (PNNs), where DBNs are utilized for dimensionality reduction, and PNNs are used for classification, outperforming traditional PNN-based methods. In (Wang et al. 2017), an image-based detection scheme utilizing CNNs is proposed: traffic data can be represented as images, hence making manual feature design unnecessary. Additionally, the study in (Torres et al. 2016) uses RNNs for Botnet anomaly detection, taking into account the fact that an RNN could exploit timing features well to improve classification accuracy. Javaid et al. (Javaid et al. 2016) introduced a dynamic and efficient intrusion detection system using self-taught learning in conjunction with deep learning frameworks. The methodology consisted of a sparse auto-encoder along with multinomial logistic regression, tested on the NSL-KDD dataset. The results reported that the STL-based model achieved an accuracy of 88.38% for binary classification and 79.10% for multi-class classification. In a similar context, Shone et al. (Shone et al. 2018) present a supervised technique for feature learning that relies on a Non-Symmetric Deep Auto-encoder. Their model was tested with both the NSL-KDD and KDD Cup '99 datasets. It achieved an accuracy rate of 85.42% in the five-class classification task. Other significant advancements in deep learning-based IDS could be found in the work of Yin et al. (Yin et al. 2017), who employ a recurrent neural network to classify intrusions. Their model took a 122-dimensional input and resulted in binary classification, achieving 83.28% for binary classification and 81.29% for five-class multi-classification on the NSL-KDD dataset. Wang et al. (Wang et al. 2018) proposed a representation learning method for intrusion detection that analyzes raw network activity data by using a convolutional neural network (CNN). Despite the new style, using 5 × 5 filter sizes with 16 and 32 filters, the precision of the model is restricted by the low resolution of input image data. Table 1 briefs the overall literature study. Researchers (Zhang and Liu 2022) used Borderline-SMOTE to enhance the rare-class attack detection accuracy in IoT environments, which has addressed class imbalance problems. Another research study (Andresini et al. 2021) applied GANs to produce synthetic rare-class attack data for improving the CNN-based intrusion detection models. Researchers (Kumar and Sinha 2023) used WCGAN to develop rare-class attack samples, thus improving the XGBoost classifiers' recognition rates for rare-class intrusions. In addition, research (Yang et al. 2023) proposed the geometric Synthetic Minority Oversampling Technique, an optimized kernel density estimation algorithm, which obtains high multiclass classification accuracies of 86.39% and 99.94% on the NSL-KDD and N-BaIoT datasets, respectively. Several techniques, including interpolation, oversampling, and encoder-generated data, have been utilized to balance training sets and further enhance results. Traditional methods such as SMOTE (Alamin Talukder et al. 2022; Balla et al. 2023), Borderline-SMOTE, and ADASYN create synthetic samples by generating new instances along line segments connecting minority class instances (Lavanya and Rajalakshmi 2023). Despite the several advancements in intrusion detection systems, there are some limitations in the methodologies used. For example, approaches like NB and RF models tend not to perform so well with large-dimensional data; as the size of the dataset gets larger, so does the likelihood of performance degrading. Some optimization techniques may be computationally expensive and sensitive to overfitting, including genetic algorithms, and hybrid models containing SVM or DT. Similar improvements in KNN by the clustering or partitioning methods are likely to offer low scalability and sensitivity to the choice of parameters. DL methods, promising as they are, have issues including high computational demand, overfitting, and poor generalization to unseen attacks. For instance, CNNs may be limited to the resolution of the input data, while RNNs may be unable to deal with long-range dependencies in high-dimensional data. Methods based on synthetic data generation, such as SMOTE, Borderline-SMOTE, ADASYN, and GAN-based methods, struggle to capture minority class characteristics with precision, possibly producing noisy or unrealistic samples that degrade model performance. Moreover, the computational expense of more complex methods, including WCGANs and geometric Synthetic Minority Oversampling Techniques, limits their wider usage. This will address the above limitations in improving the scalability, efficiency, and robustness of intrusion detection systems. Table 1 Summary of Recent Advancements in ML and DL-based Intrusion Detection Systems Author and Reference Main Contributions Field N. Ben Amor, (Amor et al. 2004) Utilized Naive Bayes for network anomaly detection and compared it with decision trees. ML P. Tao, Z. Sun, (Tao et al. 2018) Combined genetic algorithm with SVM for optimized feature selection, parameter tuning, and weighting to enhance detection accuracy. ML J. Ren, (Ren et al. 2019) Proposed a multi-level random forest model to detect anomalous network behaviors. ML H. Shapoorifard, (Shapoorifard and Shamsinejad 2017) Improved KNN by integrating it with K-Means clustering to enhance detection accuracy. ML G. Kim, (Kim et al. 2014) Introduced a hybrid approach using the C4.5 decision tree to partition data and SVM models to improve unknown attack detection. ML G. Zhao, (Zhao et al. 2017) Developed a hybrid model combining DBNs for dimensionality reduction and PNNs for classification, achieving higher accuracy. DL W. Wang, (Wang et al. 2017) Proposed a CNN-based detection method that represents traffic data as images, eliminating manual feature design. DL P. Torres, (Torres et al. 2016) Used RNNs to detect Botnet anomalies, leveraging timing features to improve classification accuracy. DL A. Javaid, (Javaid et al. 2016) Proposed an STL-based IDS using sparse auto-encoders with multinomial logistic regression, achieving high accuracy on NSL-KDD. DL N. Shone, (Shone et al. 2018) Introduced a supervised learning method using a Non-Symmetric Deep Auto-encoder, tested on NSL-KDD and KDD Cup '99 datasets. DL C. Yin, (Yin et al. 2017) Implemented an RNN-based IDS, achieving significant accuracy on binary and multi-class classification on NSL-KDD. DL Y. Wang, (Wang et al. 2018) Proposed a CNN-based representation learning method for intrusion detection using raw network activity data. DL R. Zhang, (Zhang and Liu 2022) Used Borderline-SMOTE to enhance rare-class attack detection accuracy in IoT environments, addressing class imbalance. ML G. Andresini, (Andresini et al. 2021) Applied GANs to generate synthetic rare-class attack data, improving CNN-based intrusion detection models. DL V. Kumar, (Kumar and Sinha 2023) Employed WCGAN to develop rare-class attack samples, boosting XGBoost classifiers' recognition rates for rare-class intrusions. DL Y, Yang, (Yang et al. 2023) Proposed the geometric Synthetic Minority Oversampling Technique, achieving high multiclass classification accuracies on NSL-KDD and N-BaIoT datasets. ML M. Alamin, [ 27 ] Used traditional SMOTE to generate synthetic samples for class imbalance. ML A. Balla, [ 28 ] Employed Borderline-SMOTE to create synthetic samples for minority class detection. ML T. Lavanya, (Lavanya and Rajalakshmi 2023) Used ADASYN to generate synthetic samples, improving the detection of rare class instances. DL 3. Proposed Scheme This study tries to find out the predictability of network intrusions and their potential impact on systems and data. Although current intrusion detection models can be used to detect anomalies in network traffic, they still fail to prevent such anomalies and intrusions from causing damage (Choudhury and Bhowal 2015). Intrusion detection is very important to ensure system security because it can reduce the risks of data loss and corruption. These vulnerabilities must be addressed with urgency to minimize damage. The data set used in this paper is the updated NSL-KDD dataset of 2019, available at https://www.unb.ca/cic/datasets/nsl.html . Figure 1 shows the general methodology and approach adopted for conducting this research. The experiments were done on a system with an Intel Core i7 CPU, 16GB of RAM, and the Windows operating system. All implementations were performed in Python 3.9 using Scikit-learn and other relevant ML libraries. Separate datasets are used for training and testing machine learning models. The training dataset consists of 125,973 instances, of which 58,631 are anomaly records and 67,342 are normal records. The testing dataset consists of 22,544 instances. Both datasets consist of 42 features, with one of the features being a class attribute that labels whether a record is normal or abnormal. The classes and ranges of the NSL-KDD dataset are shown in Table 1 . Of the 42 features, one is for a class attribute, while the remaining 41 fall into four categories described as follows: Basic (B) features: Features of individual TCP connections. Content (C) features: Features derived from domain knowledge about particular relationships. Traffic (T) features: Measured over a two-second time window. Host (H) features: Metrics that aim at measuring attacks that linger for more than two seconds. Table 2 Classes and Feature Categories of the NSL-KDD Dataset S No Label Attribute Value Range 1 B duration Real 2 B protocol type tcp, udp, icmp 3 B service courier, aol, bgp, ctf, auth, csnet_ns, discard, domain, domain_u, echo, eco_i, ecr_i, efs, daytime, finger, ftp, gopher, ftp_data, exec, harvest, hostnames, http, http_2784, http_8001, http_443, imap4, iso_tsap, IRC, kshell, klogin, login, ldap, link, mtp, name, netbios_dgm, netbios_ns, netbios_ssn, netstat, nnsp, nntp, ntp_u, other, pm_dump, pop_2, pop_3, printer, private, red_i, remote_job, rje, shell, smtp, sql_net, ssh, sunrpc, supdup, systat, telnet, tftp_u, tim_i, time, urh_i, urp_i, uucp, uucp_path, vmnet, whois, X11, Z39_50 4 B flag oth, rej, rsto, rstos0, rstr, s0, s1, s2, s3, sf, sh 5 B dst_bytes Real-data 6 B src_bytes Real-data 7 B wrong_fragment Real-data 8 B land 0, 1 9 B urgent Real-data 10 H dst_host_count Real-data 11 H dst_host_same_srv_rate Real-data 12 H dst_host_srv_count Real-data 13 H dst_host_same_src_port_rate Real-data 14 H dst_host_serror_rate Real-data 15 H dst_host_diff_srv_rate Real-data 16 H dst_host_rerror_rate Real-data 17 H dst_host_srv_diff_host_rate Real-data 18 H dst_host_ressor_rate Real-data 19 H dst_host_srv_serror_rate Real-data 20 C hot Real-data 21 C is_guest_login 0, 1 22 C is_host_login 0, 1 23 C logged_in 0, 1 24 C num_field_login Real-data 25 C num_compromised Real-data 26 C su_attempted Real-data 27 C root_shell Real-data 28 C num_file_creations Real-data 29 C num_root Real-data 30 C num_access_files Real-data 31 C num_shells Real-data 32 C num_outbound_cmds Real-data 33 T srv_diff_host_rate Real-data 34 T srv_count Real-data 35 T count Real-data 36 T srv_serror_rate Real-data 37 T serror_rate Real-data 38 T srv_rerror_rate Real-data 39 T rerror_rate Real-data 40 T diff_srv_rate Real-data 41 T same_srv_rate Real-data 42 - class normal, anomaly 3.1 Model Evaluation and Comparison Any intelligent model may be compared using several evaluation metrics, depending on particular assessment criteria. However, in this study, we employed two different types of evaluation measures: To assess the error rate of each utilized model, which is also an important factor in the evaluation of intelligence models, and To assess the precision of each model. Two measurements are employed to assess the error rate: KS is used to measure the degree of agreement between two raters or classifiers beyond that which would be expected by chance (Deist et al. 2018). $$\:KS=\:\frac{{P}_{o}-\:{P}_{e}}{1-\:{P}_{e}}$$ 1 Where, \(\:{P}_{o}\) Observed agreement (the proportion of times the raters agree), and \(\:{P}_{e}\) expected agreement (the proportion of agreement expected by chance). MAE is used to measure the mean absolute error between paired observations that express the same attributes (Khan et al. 2020), $$\:\text{M}\text{A}\text{E}=\frac{1}{\text{n}}\sum\:_{\text{i}=1}^{\text{n}}\left|{\text{x}}_{\text{i}}-\text{x}\right|$$ 2 . Where: n = the number of errors, |xi – x| = the absolute errors, Σ = summation symbol (which means “add them all up”), For the assessment of precision, different measures are used, including F-measure, Recall, Precision, MCC, and Accuracy. Precision and Recall are useful for measuring the success of a predictor in unbalanced classes. Precision is the measure of relevancy in the results, and recall is the measure of truly relevant returned results (Naseem et al. 2020b), $$\:\text{P}\text{r}\text{e}\text{c}\text{i}\text{s}\text{i}\text{o}\text{n}=\text{T}\text{P}/(\text{T}\text{P}+\text{F}\text{P})$$ 3 , $$\:\text{R}\text{e}\text{c}\text{a}\text{l}\text{l}=\text{T}\text{P}/(\text{T}\text{P}+\text{F}\text{N})$$ 4 . F-measure computes the predictor accuracy by taking a weighted average of precision and recall as (Subasi and Kremic 2020), $$\:\text{F}=\frac{\text{T}\text{P}}{\text{T}\text{P}+\frac{1}{2}(\text{F}\text{P}+\text{F}\text{N})}$$ 5 . MCC measures the quality through binary classifiers as [ 31 ] [ 33 ], $$\:\text{M}\text{C}\text{C}=\frac{\text{T}\text{P}\text{x}\text{T}\text{N}-\text{F}\text{P}\text{x}\text{F}\text{N}}{\sqrt{(\text{T}\text{P}+\text{F}\text{P})(\text{T}\text{P}+\text{F}\text{N})(\text{T}\text{N}+\text{F}\text{P})(\text{T}\text{N}+\text{F}\text{N})}}$$ 6 . Accuracy is the measure of how much the forecast is accurate and can be calculated as: $$\:\text{A}\text{c}\text{c}\text{u}\text{r}\text{a}\text{c}\text{y}=\:\frac{\text{T}\text{P}+\text{T}\text{N}}{\text{T}\text{P}+\text{T}\text{N}+\text{F}\text{P}+\text{F}\text{N}}$$ 7 Where TP is the situations where the projected "yes" was correct (predict real intrusion), TN is expected a "no" (they are not the intrusion), FP anticipated the "yes," but they are not the intruders (This is sometimes mentioned to as a "Type I error"), and FN expected "no," yet they are the intruders. (This is often mentioned as a "Type II error.") 3.2 Proposed CS-Forest Model CS-Forest (Cost-Sensitive Forest) is an advanced ensemble learning approach specially designed for dealing with imbalanced datasets, incorporating cost-sensitive learning principles into traditional ensemble methods like RF (Siers and Islam 2014). CS-Forest emphasizes reducing the problem of class imbalance, as in many intrusion detection datasets, attacks or minority class are far less frequent than normal activity, or the majority class, and a higher cost is assigned for misclassifications of instances in the minority class to enhance the detection of the critical cases. The model depends on decision trees as base learners, but with a cost-sensitive approach during both sampling and training. In weighted sampling, minority-class instances get over-sampled or assigned higher weights to balance their influence. The weight for each instance \(\:{w}_{i}\) is defined as: $$\:{w}_{i}=\left\{\begin{array}{c}{w}_{min}=\:\frac{N}{2\cdot\:{N}_{min}}\:\:\:if\:{y}_{i}=minority\:class,\\\:{w}_{maj}=\:\frac{N}{2\cdot\:{N}_{maj}}\:\:\:if\:{y}_{i}=majority\:class,\end{array}\right.$$ 8 where \(\:n\) is the total number of samples, \(\:{N}_{min}\) is the number of minority-class samples, and \(\:{N}_{maj}\) is the number that denotes the majority-class samples. This, in turn, ensures that minority-class instances have more influence during tree building. The splitting criterion in each tree is tuned concerning costs. For instance, a cost-sensitive definition of Gini impurity is as follows: $$\:△{G}_{cost}=\:\sum\:_{c\in\:\left\{classes\right\}}{w}_{c}\cdot\:\:{p}_{c}\left(1-{p}_{c}\right),$$ 9 where \(\:{w}_{c}\) is the cost weight for class \(\:c\) , and \(\:{p}_{c}\) The probability of class \(\:c\) in the split. This modification prefers splits that have a higher improvement on the minority-class instances than the majority-class instances. During ensemble aggregation, the predictions of individual trees are combined through weighted majority voting. The final prediction for an instance \(\:x\) is given by: $$\:\widehat{y}\left(x\right)=\:\underset{c}{\text{argmax}}\sum\:_{t=1}^{T}\mathbb{I}({t}_{t}\left(x\right)=c)\cdot\:{w}_{c},$$ 10 where \(\:T\) is the number of trees, \(\:{h}_{t}\left(x\right)\) is the prediction from the t-th tree, \(\:\mathbb{I}\) is an indicator function, and \(\:{w}_{c}\) is the cost weight for class \(\:c\) . This ensures that the final prediction incorporates the cost sensitivity learned during training. CS-Forest reduces false negatives by overemphasizing minority-class predictions, which makes it particularly effective for intrusion detection applications. Its ensemble-based nature is noise and overfitting robustness, and cost-sensitive adjustments make it capable of hunting for rare patterns that are critical. Proper fine-tuning of a cost matrix is very important to optimize the model for that particular dataset and the requirements of the task. Algorithm 1 technically shows how the CS-Forest in this study is used for the NID. Algorithm 1: CS-Forest Model Algorithm for Network Intrusion Detection Input : • \(\:D={\left\{\right({x}_{i},\:{y}_{i}\left)\right\}}_{i=1}^{N}:Dataset\:with\:N\:samples\) • \(\:T:Number\:of\:trees.\) • \(\:CostMatric=\{{C}_{FP},\:{C}_{FN}\}\) Output : Trained CS-Forest model Steps : 1. Initialize the weights for all samples: For each sample \(\:\left({x}_{i},\:{y}_{i}\right)\in\:D:\) If \(\:{y}_{i}=minorty\:class\) (intrusion) \(\:{w}_{i}\leftarrow\:\frac{N}{\left(2*\:{N}_{min}\right)}\) (11) Else : \(\:{w}_{i}\leftarrow\:\frac{N}{\left(2*\:{N}_{maj}\right)}\) (12) 2. For \(\:t=1\) to \(\:T\) : //Train T trees a. Generate a weighted bootstrap sample \(\:{D}_{t}\) from \(\:D\) using \(\:{w}_{i}\) . b. Train a decision tree \(\:{h}_{t}\) on \(\:{D}_{t}\) : i. At each node, calculate the cost-sensitive split: For each split \(\:S\) : Compute \(\:△{G}_{cost}=\:\sum\:_{c\in\:\left\{classes\right\}}{w}_{c}\cdot\:\:{p}_{c}\left(1-{p}_{c}\right),\) (13) ii. Select the split \(\:{S}^{*}\) with the maximum \(\:△{G}_{cost}\) . \(\:{S}^{*}=\underset{c}{\text{a}\text{r}\text{g}\text{m}\text{a}\text{x}}△{G}_{cost}\left(S\right)\) . (14) iii. Repeat until the tree grows to full depth or the stopping criteria are met. 3. Aggregate prediction from all trees: For each sample \(\:x\) in the test set: Initialize \(\:votes\left[c\right]\:\leftarrow\:0\) for each class \(\:c\) . \(\:votes\left[c\right]=0,\:\forall\:c\in\:classes\) . For \(\:t=1\) to \(\:T\) : Predicted class \(\:{h}_{t}\left(x\right)\leftarrow\:class\) label from tree \(\:t\) . \(\:votes\left[{h}_{t}\left(x\right)\right]\leftarrow\:votes\left[{h}_{t}\left(x\right)\right]+{w}_{c}\) //Add class weight. Final prediction for \(\:x\) : \(\:\widehat{y}\left(x\right)\leftarrow\:\underset{c}{\text{argmax}}votes\left[c\right]\) (15) 4. Return the ensemble \(\:\{{h}_{1},\:{h}_{2},\:\dots\:,\:{h}_{t}\}\) . The CS-Forest algorithm is a cost-sensitive ensemble method that would be especially effective in class imbalance scenarios, such as network intrusion detection. It first assigns weights to every sample based on class representation: higher weights for the minority-class samples to counterbalance their underrepresentation. Then, by using such weighted bootstrap samples for training, each decision tree within the ensemble is generated. At each node in the tree, splits are cost-sensitive using the impurity measure. \(\:△{G}_{cost}\) , which will incorporate class weights and probabilities, and thus favor splits that separate classes better. Trees are grown until stopping criteria, such as maximum depth, are met. During prediction, the ensemble aggregates outputs from all trees, making use of a weighted voting mechanism where votes are influenced by class weights. The class with the highest aggregated vote will determine the last prediction to ensure cost-sensitive and robust decision-making in imbalanced datasets. This cost-sensitive mechanism, within CS-Forest, balances the weight for the minority-class instances, giving more importance to these under-represented attacks in the learning phase. Here, a cost matrix is incorporated such that any misclassification in minority-class samples gets penalized with a larger penalty, prompting the model to prioritize these instances. The ensemble learning process then merges multiple decision trees, where one tree is used for training against a subset of the data based on balancing its class distribution. This ensemble can help to offset the problem that occurs with an imbalanced distribution of classes, increasing the detection power of rare or minority-class attacks. For both the proposed CS-Forest model and the comparison models. For CS-Forest, important hyperparameters were tuned to guarantee the robustness of the model. The number of trees in the ensemble was set between 50 and 200, and an optimal value of 150 was selected based on validation accuracy and error metrics. A cost-sensitive matrix was constructed to penalize the misclassification of minority-class attacks, with the weights determined empirically through grid search. The maximum depth of the trees was set to 20, to find a balance between computational efficiency and detection accuracy. For splitting, the Gini impurity criterion was used as it proved to be more effective in detecting rare attacks. Minimum samples per leaf were set to 2 to avoid over-complexity while still capturing critical decision boundaries. For the comparison models, specific hyperparameters were also carefully tuned. In A1DE, the equivalent sample size was optimized within the range of 1 to 10. For KNN, the number of neighbors varied between 3 and 15, with optimal results at 5 neighbors. The NB model, with limited tunable parameters, required no additional tuning. The Random Forest algorithm was used with 100 estimators, the maximum depth set at 20, and the Gini impurity was selected as the splitting criterion. SVM utilized a radial basis function kernel with a regularization parameter C optimized in the range 10 − 2 to 10 2 . In the kernel coefficient γ it was adjusted through grid search. 3.3 Benchmarked Model The performance of the proposed CS-Forest model is compared with standard benchmark models routinely used in previous studies. The comparison aims to assess the effectiveness, robustness, and overall utility of the proposed model in addressing class imbalance issues and improving predictive accuracy. By comparison with widely recognized models, the paper aims to reveal how much the CS-Forest algorithm contributes to progress made by focusing on its possibility of overcoming the difficulties of cost-sensitive learning and enabling applicability in real-world network intrusion detection. Table 2 shows the list of employed benchmarked models. Table 3 List of Benchmark Models Used for Performance Comparison Model References Average One Dependency Estimator (A1DE) (Naseem et al. 2020c; Khan et al. 2021) Support Vector Machine (SVM) (Mehr and Ramamurthy 2019; Chaabane et al. 2022) Naïve Bayes (NB) (Chen et al. 2016; Iqbal et al. 2019) K-nearest Neighbor (KNN) (Iqbal et al. 2019; Dini and Saponara 2021) Random Forest (RF) (Alsaeedi and Khan 2019; Iqbal et al. 2019) 4. Results Analysis and Discussion This study focuses on AI-based NIDS using the NSL-KDD dataset. To this end, the study proposes a CS-Forest model compared with standard models used in the recent past based on precision, F-measure, recall, accuracy, MAE, and KS. In NIDS, KS measures the agreement between the predicted and actual classifications concerning the possibility that the agreement occurred by chance. It can be very helpful on imbalanced datasets where the accuracy can be misleading. MAE evaluates how big, on average, the errors in predictions are, thus providing information on the model's precision, calculated as an absolute difference between predictions and actual labels. Together, these measures can give a complete estimation of classification performance as well as prediction correctness, thus supporting robust assessment of intrusion detection models. Figure 2 shows the analysis evaluated through KS and MAE. Analysis shows that the CS-Forest model demonstrates better performance. CS-Forest achieves the highest KS value (0.747), indicating significantly stronger agreement between predictions and actual outcomes compared to other models, such as RF (0.619) and KNN (0.579). While CS-Forest's MAE (0.207) is marginally higher than KNN (0.209) and RF (0.196), this slight trade-off in prediction error is outweighed by its better classification consistency, as reflected in the KS score. Results indicate that CS-Forest is the most reliable model in network intrusion detection, concerning strong classification agreement combined with competitive prediction precision. Figure 3 presents the true positive rate (TPR) and false positive rate (FPR) analysis of the proposed CS-Forest compared with other employed models. CS-Forest shows the highest value of TPR, 0.874; it correctly points out actual intrusions better than the others. Furthermore, this model has the lowest FPR, equal to 0.116, which also minimizes false alarms. These are the results that position CS-Forest as the most effective model for true and reliable intrusion detection. The RF follows with a strong TPR at 0.805 and a relatively low FPR at 0.155, hence becoming a competitive alternative for applications that accept slightly higher FPR. KNN and A1DE models show moderate performance, balanced by TPR and FPR, which is suitable for less critical scenarios. NB and SVM have the lowest TPRs and comparatively higher FPRs, indicating reduced efficacy to detect intrusion, along with an increased likelihood of false alarms, which limits the reliability in high-stakes environments. Figure 4 shows the analysis evaluated through precision, recall, and F-measure. The results show that CS-Forest is the better performer, boasting the highest values in terms of Precision at 0.88, Recall at 0.874, and F-measure value of 0.875, making it the most balanced model and effective intrusion classifier with fewer false positives and high sensitivity to the true intrusions. The RF ranks second with a strong Precision of 0.852, Recall of 0.805, and F-measure of 0.803. Therefore, it would be a suitable alternative for applications where performance slightly lower than perfect is tolerable. Similar to KNN and A1DE, the models have a good balance across metrics; they are thus appropriate for moderately critical scenarios. In contrast, NB and SVM provide lower F-measure values, amounting to 0.759 and 0.752, respectively, indicating less balanced performance and reduced effectiveness in cases when both precision and recall are demanded. Figure 5 compares the MCC of different models for NIDS. The CS-Forest model has the highest value, with an MCC equal to 0.751, which is substantially better than other models, including Random Forest (RF) at 0.658 and KNN at 0.621. Its performance could be attributed to the ability of CS-Forest to handle high-dimensional data and learn complicated patterns through ensemble learning techniques to enhance both generalization and detection accuracy. Although competitive, other models, like RF and KNN, are prone to overfitting or suboptimal feature use for complex datasets, limiting their MCC scores. This means that CS-Forest is more robust and suitable for NIDS. Figure 6 demonstrates the accuracy of different models for NIDS, where CS-Forest is found to be the most accurate model, at 87.41%, thus beating the rest by a significant margin. The second-best-performing model, RF, with an accuracy of 80.45%, displays a huge gap of almost 7 percentage points, which indicates that CS-Forest exhibits better predictive potential. Other models, like KNN at 78.29% and A1DE at 77.16%, are moderately accurate. Meanwhile, NB and SVM lag at 76.12% and 75.39% in accuracy, respectively. The increased accuracy of CS-Forest is due to its powerful ensemble learning mechanism. It makes use of optimized feature selection and voting strategies in deciding the best decision tree out of a multi-decision tree combination. Models like SVM and NB, based on weaker assumptions or single-layer decision boundaries, lack the complexity and the high dimensionality of NIDS data, and therefore suffer from comparatively lower performance. It means that CS-Forest is very efficient for making correct intrusion detection in complex situations. The cross-comparison of the models in Table 4 shows that the proposed CS-Forest model outperforms other models in accuracy. CS-Forest reached an accuracy of 87.41%, which significantly outperformed the second-best model, RF, by 6.96%, and showed even greater gaps with models like KNN 9.12%, A1DE 10.25%, NB 11.29%, and SVM 12.02%. This can be attributed to the ensemble mechanism in CS-Forest, in that decision trees are aggregated at an optimized level and have features of importance together with class correlations for increasing precision. Moreover, the forest of CS might exploit a sampling technique at the next level, improved techniques handling class imbalance, as well as robust optimization approaches crucial in detecting rare and subtle intrusion patterns in the network. In contrast, conventional models such as SVM and NB rely on easier assumptions and do not have the inherent ability to model sophisticated interactions in data. As much as RF can exhibit good performance due to an ensemble approach, CS-Forest further refines the same by using tailored approaches for tree building and voting mechanisms specific to network intrusion detection, making it the best model in this work. Table 4 Cross-comparison of Employed Model Accuracies for NIDS Model SVM NB A1DE KNN RF CS-Forest SVM --- + 0.73 + 1.77 + 2.90 + 5.06 + 12.02 NB -0.73 --- + 1.04 + 2.17 + 4.33 + 11.29 A1DE -1.77 -1.04 --- + 1.13 + 3.29 + 10.25 KNN -2.90 -2.17 -1.13 --- + 2.16 + 9.12 RF -5.06 -4.33 -3.29 -2.16 --- + 6.96 CS-Forest -12.02 -11.29 -10.25 -9.12 -6.96 --- The CS-Forest model proposes to overcome the major limitations in existing intrusion detection systems by addressing the class imbalance, commonly found in network intrusion datasets. Traditional models of this genre fail to correctly classify the minority-class instances, causing high false negatives and thereby reducing the impact of intrusion detection. Under cost-sensitive learning principles, underrepresented classes are assigned heavier misclassification penalties, enhancing the detection of rare attack patterns through CS-Forest. This is done using weighted sampling and cost-sensitive split criteria, which prefer the detection of minority-class samples. In addition, the ensemble-based approach of CS-Forest increases its resistance to noise and overfitting, which can be reliable in real-world applications. The model's fine-tuning cost matrices further allow adaptability, making the optimization dependent on the specific dataset characteristics and task requirements for a more precise and effective solution. Moreover, CS-Forest improves computational efficiency using lightweight decision tree ensembles and is thus applicable to real-time intrusion detection in resource-constrained environments. Combining improved minority-class detection, computational efficiency, and adaptability, CS-Forest is a robust solution to the challenges facing network intrusion detection today. Despite the promising results of the proposed CS-Forest model for network intrusion detection, there are several limitations in this study. The performance of the model is heavily dependent on the quality and representativeness of the NSL-KDD dataset, which may not fully capture the wide variety of modern intrusion techniques or real-world network environments. In addition, although the CS-Forest model adequately deals with the class imbalance issue by adopting cost-sensitive learning, the performance may drop when facing highly complex or evolving patterns of attacks not well presented in the training data. Moreover, because the decision tree is a base learner of the model, it may be unable to model sophisticated patterns as it could with more complex models, such as DL. 4.1 Discussion The improved performance of the proposed CS-Forest model over the conventional machine learning classifiers (e.g., SVM, NB, KNN, A1DE, RF) in the network intrusion detection area can be attributed to the synergistic effects of a combination of a few significant technical advancements and architectural improvements specifically addressing the difficulties embedded in network intrusion datasets, specifically class imbalance, high-dimensional data, and dynamic attack patterns. a. Cost-Sensitive Learning Strategy : The foundation of CS-Forest's strength is rooted in its cost-sensitive mechanism that incurs increased misclassification penalty for minority-class samples (rare and worse attack types). On the contrary, traditional algorithms such as SVM, NB, and even RF employ either a uniform cost matrix or class-neutral loss functions. This makes these models biased towards the majority classes at the expense of poor detection against underrepresented attacks. By incorporating cost-sensitive weighting during both the training and decision-making phases, CS-Forest ensures that rare attacks are not ignored, substantially reducing false negatives for minority classes. b. Ensemble-Based Architecture : In contrast to single learner models such as SVM and NB, CS-Forest uses ensemble learning with an optimized sequence of decision trees. Each is trained using weighted sampling and class-aware splitting rules, allowing the ensemble to learn diverse and complementary decision boundaries. This not only enhances generalization but also suppresses variance and overfitting, the usual pitfalls in models such as KNN and RF when presented with high-dimensional and noisy intrusion data. c. High-Dimensional Feature Handling : Intrusion detection datasets such as NSL-KDD contain high-dimensional feature spaces with many redundant or irrelevant features. CS-Forest, by its cost-sensitive tree construction and ensemble voting process, implicitly picks more discriminative features at splits, thus filtering out noise and emphasizing the most important features. In contrast, models such as NB rely on conditional independence assumptions, while SVM doesn't have built-in feature selection, so they are less suitable for such noisy, high-dimensional environments. d. Robustness to Class Imbalance and Overfitting : The CS-Forest model is immune to the high class imbalance often found in NIDS data. Although RF makes use of ensemble learning, its uniform sampling and voting approach is not optimal for underrepresented attack classes. CS-Forest optimizes this using cost-sensitive voting, where trees trained on minority-class data proportionally have a greater impact. Additionally, penalization mechanisms are used in the split criteria selection, essentially regularizing the learning process and lowering overfitting on major classes. e. Consistent Performance Across Evaluation Metrics : Empirical results from the analysis validate the dominance of the CS-Forest model using various evaluation metrics. The Kolmogorov–Smirnov (KS) value of 0.747 and the Matthews Correlation Coefficient (MCC) of 0.751 indicate the robust classification agreement and balanced predictive strength of the model, especially under imbalanced class distributions. Furthermore, CS-Forest has a precision rate of 0.88, a recall rate of 0.874, and an F-measure of 0.875, proving highly sensitive and specific, as is required to guarantee both precise and sound intrusion detections. The model also reflects an overall accuracy rate of 87.41%, performing much better than other classifiers, namely, Random Forest, which performs about 7% behind. In addition, the true positive rate (0.874) and false positive rate (0.116) confirm the model's efficacy in intrusion detection while maintaining false alarms to a bare minimum, an essential prerequisite for real-world deployment in security-critical environments. f. Scalability and Real-Time Applicability : The application of light decision tree structures renders CS-Forest computationally efficient, particularly against deep models or kernel-based SVMs. Such scalability renders it a viable option for real-time NIDS deployment, particularly in resource-limited environments such as edge devices or embedded security appliances. 5. Conclusion The study proposes a novel cost-sensitive decision tree ensemble model known as CS-Forest, intended to improve the detection of minority-class intrusions in intrusion detection systems. This approach reduces the false positive and false negative rates by addressing the imbalance in the distributions of the attack classes. Detailed tests on the NSL-KDD dataset show that CS-Forest outperforms all others by gaining a detection accuracy of 87.41%, and it even outperformed the underrepresented attack classes against the traditional models A1DE, KNN, NB, RF, and SVM. The proposed model uses a cost-sensitive approach towards decision tree learning, which robustly performs over all classes of attacks. These results confirm the real-world applicability of CS-Forest in practical IDS implementations, providing an efficient solution to enhance network security. The findings presented in this paper confirm the claims made and contribute to the advancement of IDS research by addressing critical challenges in intrusion detection. Future work may include further optimization of the CS-Forest model through ensemble strategies and the incorporation of more cost-sensitive techniques to improve detection accuracy. Real-time deployment in dynamic network environments may also be tested to evaluate the performance and scalability of the model. Further evaluation of diverse datasets and integration with other advanced ML approaches may also enhance the robustness and applicability of the model for various intrusion detection scenarios. Declarations Conflicts of Interest: The author declares that they have no conflicts of interest to report regarding the present study. Funding Statement: This research is supported by a grant (No. CRPG-25-3320) under the Cybersecurity Research and Innovation Pioneers Initiative, provided by the National Cybersecurity Authority (NCA) in the Kingdom of Saudi Arabia. Author Contribution This paper has a single author Acknowledgement This research is supported by a grant (No. CRPG-25-3320) under the Cybersecurity Research and Innovation Pioneers Initiative, provided by the National Cybersecurity Authority (NCA) in the Kingdom of Saudi Arabia. Data Availability The data used in the study were obtained from the Kaggle repository, available online at: https://www.kaggle.com/datasets/hassan06/nslkdd. References Alamin Talukder, M. et al. A Dependable Hybrid Machine Learning Model for Network Intrusion Detection. arXiv e-prints arXiv-2212 (2022). Alamin Talukder, M. et al. Machine learning-based network intrusion detection for big and imbalanced data using oversampling, stacking feature embedding and feature extraction. (2024). arXiv e-prints arXiv-2401. Alsaeedi, A. & Khan, M. Z. Software Defect Prediction Using Supervised Machine Learning and Ensemble Techniques: A Comparative Study. 85–100. (2019). https://doi.org/10.4236/jsea.2019.125007 Amor, N., Ben, Benferhat, S. & Elouedi, Z. Naive bayes vs decision trees in intrusion detection systems. In: Proceedings of the 2004 ACM symposium on Applied computing. pp 420–424 (2004). Amru, M. et al. Network intrusion detection system by applying ensemble model for smart home. Int. J. Electr. Comput. Eng. (2024). (2088–8708) 14 . Andresini, G., Appice, A., De Rose, L. & Malerba, D. GAN augmentation to deal with imbalance in imaging-based intrusion detection. Future Generation Comput. Syst. 123 , 108–127 (2021). Apruzzese, G., Pajola, L. & Conti, M. The cross-evaluation of machine learning-based network intrusion detection systems. IEEE Trans. Netw. Serv. Manage. 19 , 5152–5169 (2022). Balla, A. et al. The effect of dataset imbalance on the performance of scada intrusion detection systems. Sensors 23 , 758 (2023). Bertoli, G. & Júnior, L. … OS-I, undefined An end-to-end framework for machine learning-based network intrusion detection system. ieeexplore.ieee.org (2021). Chaabane, S., Ben, Hijji, M., Harrabi, R. & Seddik, H. Face recognition based on statistical features and SVM classifier. Multimedia Tools Appl. 81 , 8767–8784 (2022). Chen, C. et al. An explanatory analysis of driver injury severity in rear-end crashes using a decision table/Naïve Bayes (DTNB) hybrid classifier. Accid. Anal. Prev. 90 , 95–107. https://doi.org/10.1016/j.aap.2016.02.002 (2016). Choudhury, S. & Bhowal, A. Comparative analysis of machine learning algorithms along with classifiers for network intrusion detection. 2015 International Conference on Smart Technologies and Management for Computing, Communication, Controls, Energy and Materials, ICSTM 2015 - Proceedings 89–95. (2015). https://doi.org/10.1109/ICSTM.2015.7225395 Deist, T. M. et al. Machine learning algorithms for outcome prediction in (chemo)radiotherapy: An empirical comparison of classifiers. Med. Phys. 45 , 3449–3459. https://doi.org/10.1002/mp.12967 (2018). Dini, P. & Saponara, S. Analysis, design, and comparison of machine-learning techniques for networking intrusion detection. Designs 5 , 1–22. https://doi.org/10.3390/designs5010009 (2021). Holdings, T. & Trustwave Global Security Report.. https://www.trustwave.com/en-us/resources/library/documents/2020-trustwave-global-security-report/ . Accessed 14 Jan 2025. Iqbal, A. et al. Performance analysis of machine learning techniques on software defect prediction using NASA datasets. Int. J. Adv. Comput. Sci. Appl. 10 , 300–308. https://doi.org/10.14569/ijacsa.2019.0100538 (2019). Javaid, A., Niyaz, Q., Sun, W. & Alam, M. A deep learning approach for network intrusion detection system. In: Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS). pp 21–26 (2016). Joraviya, N., Gohil, B. N. & Rao, U. P. Ab-HIDS: An anomaly‐based host intrusion detection system using frequency of N‐gram system call features and ensemble learning for containerized environment. Concurrency and Computation: Practice and Experience 36:e8249 (2024). Khan, B. et al. An empirical evaluation of machine learning techniques for chronic kidney disease prophecy. IEEE Access. 8 , 55012–55022. https://doi.org/10.1109/ACCESS.2020.2981689 (2020). Khan, B. et al. Software Defect Prediction for Healthcare Big Data: An Empirical Evaluation of Machine Learning Techniques. J. Healthc. Eng. 2021 . https://doi.org/10.1155/2021/8899263 (2021). Kim, G., Lee, S. & Kim, S. A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert Syst. Appl. 41 , 1690–1700 (2014). Kumar, V. & Sinha, D. Synthetic attack data generation model applying generative adversarial network for intrusion detection. Computers Secur. 125 , 103054 (2023). Lavanya, T. & Rajalakshmi, K. Heterogenous ensemble learning driven multi-parametric assessment model for hardware Trojan detection. Integration 89 , 217–228 (2023). Mehr, S. Y. & Ramamurthy, B. An SVM based DDoS attack detection method for Ryu SDN controller. In: Proceedings of the 15th international conference on emerging networking experiments and technologies. pp 72–73 (2019). Naseem, R. et al. Investigating Tree Family Machine Learning Techniques for a Predictive System to Unveil Software Defects. Complexity 2020 , 1–21. https://doi.org/10.1155/2020/6688075 (2020a). Naseem, R. et al. Performance Assessment of Classification Algorithms on Early Detection of Liver Syndrome. J. Healthc. Eng. 2020 . https://doi.org/10.1155/2020/6680002 (2020b). Naseem, R. et al. Performance Assessment of Classification Algorithms on Early Detection of Liver Syndrome. J. Healthc. Eng. 2020 . https://doi.org/10.1155/2020/6680002 (2020c). Ren, J. et al. An multi-level intrusion detection method based on KNN outlier detection and random forests. J. Comput. Res. Dev. 56 , 566–575 (2019). Satilmiş, H., Akleylek, S. & Tok, Z. Y. A Systematic Literature Review on Host-Based Intrusion Detection Systems. Ieee Access. 12 , 27237–27266 (2024). Shapoorifard, H. & Shamsinejad, P. Intrusion detection using a novel hybrid method incorporating an improved KNN. Int. J. Comput. Appl. 173 , 5–9 (2017). Shone, N., Ngoc, T. N., Phai, V. D. & Shi, Q. A deep learning approach to network intrusion detection. IEEE Trans. Emerg. Top. Comput. Intell. 2 , 41–50 (2018). Siers, M. J. & Islam, M. Z. Cost sensitive decision forest and voting for software defect prediction. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 8862:929–936. (2014). https://doi.org/10.1007/978-3-319-13560-1 Subasi, A. & Kremic, E. Leveraging AI and machine learning for societal challenges, cas 2019 comparison of adaboost with multiboosting for phishing website detection. Procedia Comput. Sci. 168 , 272–278. https://doi.org/10.1016/j.procs.2020.02.251 (2020). Talukder, M. A. et al. A dependable hybrid machine learning model for network intrusion detection. J. Inform. Secur. Appl. 72 , 103405 (2023). Talukder, M. A. et al. Machine learning-based network intrusion detection for big and imbalanced data using oversampling, stacking feature embedding and feature extraction. J. big data . 11 , 33 (2024). Tao, P., Sun, Z. & Sun, Z. An improved intrusion detection algorithm based on GA and SVM. Ieee Access. 6 , 13624–13631 (2018). Torres, P., Catania, C., Garcia, S. & Garino, C. G. An analysis of recurrent neural networks for botnet detection behavior. In: 2016 IEEE biennial congress of Argentina (ARGENCON). IEEE, pp 1–6 (2016). VEERAKUMARAN M V INTRUSION DETECTION SYSTEM. (IDS) IN NETWORKS. Wang, W. et al. Malware traffic classification using convolutional neural network for representation learning. In: 2017 International conference on information networking (ICOIN). IEEE, pp 712–717 (2017). Wang, Y., An, J. & Huang, W. Using CNN-based representation learning method for malicious traffic identification. In: 2018 IEEE/ACIS 17th International Conference on Computer and Information Science (ICIS). IEEE, pp 400–404 (2018). Yang, Y., Gu, Y. & Yan, Y. Machine learning-based intrusion detection for rare-class network attacks. Electronics 12 , 3911 (2023). Yin, C., Zhu, Y., Fei, J. & He, X. A deep learning approach for intrusion detection using recurrent neural networks. Ieee Access. 5 , 21954–21961 (2017). Zhang, Y. & Liu, Q. On IoT intrusion detection based on data augmentation for enhancing learning on unbalanced samples. Future Generation Comput. Syst. 133 , 213–227 (2022). Zhao, G., Zhang, C. & Zheng, L. Intrusion detection using deep belief network and probabilistic neural network. In: 2017 IEEE international conference on computational science and engineering (CSE) and IEEE international conference on embedded and ubiquitous computing (EUC). IEEE, pp 639–642 (2017). Additional Declarations No competing interests reported. Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-7187958","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Article","associatedPublications":[],"authors":[{"id":495657732,"identity":"008f8c6b-a105-4340-8a68-196d90518b2a","order_by":0,"name":"Muhammad Binsawad","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAA3klEQVRIiWNgGAWjYDACCcYGCON4G5iCcYnRcuYY0VpgjBtpRGrRnd3c9vBHzWF5vpvPEj/zMNjIbjjA/vADPi1mdw62G/McO2w483baYWkehjTjDQd4jCXwarmR2CbNwHabccPt9AaglsOJQC0MBLVI/vh3237DzePNv3kY/gO1sD/+QUiLBG/b7cQNN9iOAW05ANTCYIbfljsH26R5+/4nzzyTlmY5xyDZeOZhHjMLvFputz+T/PEtzbbv+DHjG28q7GT7jrc/voFPCxowAGJmEtSPglEwCkbBKMAOAJ+mU0WDYDYcAAAAAElFTkSuQmCC","orcid":"","institution":"King Abdulaziz University","correspondingAuthor":true,"prefix":"","firstName":"Muhammad","middleName":"","lastName":"Binsawad","suffix":""}],"badges":[],"createdAt":"2025-07-22 14:08:40","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-7187958/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-7187958/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":88439862,"identity":"176c6501-f709-412a-b2e6-71c0abf744da","added_by":"auto","created_at":"2025-08-06 12:29:28","extension":"png","order_by":1,"title":"Figure 1","display":"","copyAsset":false,"role":"figure","size":80724,"visible":true,"origin":"","legend":"\u003cp\u003eGeneral Methodology and Approach for Network Intrusion Detection\u003c/p\u003e","description":"","filename":"1.png","url":"https://assets-eu.researchsquare.com/files/rs-7187958/v1/9389b79d751706320246fd64.png"},{"id":88439864,"identity":"760443d8-ca54-49e6-9817-d6a6ce392733","added_by":"auto","created_at":"2025-08-06 12:29:28","extension":"png","order_by":2,"title":"Figure 2","display":"","copyAsset":false,"role":"figure","size":30609,"visible":true,"origin":"","legend":"\u003cp\u003ePerformance Analysis Evaluated through KS and MAE\u003c/p\u003e","description":"","filename":"2.png","url":"https://assets-eu.researchsquare.com/files/rs-7187958/v1/b9c82ea0c5f3bdb1b23b9f6c.png"},{"id":88439863,"identity":"bd10b5fd-8125-4017-bef3-4d2258c7cc9a","added_by":"auto","created_at":"2025-08-06 12:29:28","extension":"png","order_by":3,"title":"Figure 3","display":"","copyAsset":false,"role":"figure","size":30574,"visible":true,"origin":"","legend":"\u003cp\u003eTrue Positive Rate (TPR) and False Positive Rate (FPR) Analysis of Each Employed Model\u003c/p\u003e","description":"","filename":"3.png","url":"https://assets-eu.researchsquare.com/files/rs-7187958/v1/a5fa60978758e2365a11ecb8.png"},{"id":88439867,"identity":"a02c1e07-9567-474e-bf3c-0d7e27eda55a","added_by":"auto","created_at":"2025-08-06 12:29:28","extension":"png","order_by":4,"title":"Figure 4","display":"","copyAsset":false,"role":"figure","size":73529,"visible":true,"origin":"","legend":"\u003cp\u003ePrecision, Recall, and F-measure Analysis of Each Employed Model Compared with the Proposed CS-Model\u003c/p\u003e","description":"","filename":"4.png","url":"https://assets-eu.researchsquare.com/files/rs-7187958/v1/061f5edbd4264438ec200a7a.png"},{"id":88439871,"identity":"f12fa1be-5d2e-46fa-9b35-7469c0129ee8","added_by":"auto","created_at":"2025-08-06 12:29:28","extension":"png","order_by":5,"title":"Figure 5","display":"","copyAsset":false,"role":"figure","size":26805,"visible":true,"origin":"","legend":"\u003cp\u003eMCC comparison of Employed Models for NIDS Contrasting with Proposed CS-Forest\u003c/p\u003e","description":"","filename":"5.png","url":"https://assets-eu.researchsquare.com/files/rs-7187958/v1/1348c138712c3c1d1c8ed803.png"},{"id":88440078,"identity":"c8445dce-efca-46a8-8ffd-a5e263ebce1e","added_by":"auto","created_at":"2025-08-06 12:37:28","extension":"png","order_by":6,"title":"Figure 6","display":"","copyAsset":false,"role":"figure","size":24925,"visible":true,"origin":"","legend":"\u003cp\u003eAccuracy Comparison of Employed Models for NIDS\u003c/p\u003e","description":"","filename":"6.png","url":"https://assets-eu.researchsquare.com/files/rs-7187958/v1/7b9c7078a79dd6f16bbc1ca4.png"},{"id":89383172,"identity":"b51bcf53-aea2-47db-a64a-1b9bd94e0a3a","added_by":"auto","created_at":"2025-08-19 12:16:59","extension":"pdf","order_by":0,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":1431790,"visible":true,"origin":"","legend":"","description":"","filename":"manuscript.pdf","url":"https://assets-eu.researchsquare.com/files/rs-7187958/v1/3fce199a-5dad-45ad-ac5b-9123d6c8a5bb.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Enhancing Network Intrusion Detection Systems through Cost-Sensitive Ensemble Learning with the CS-Forest Approach for Accurate Detection of Minority-Class Attacks","fulltext":[{"header":"1. Introduction","content":"\u003cp\u003eThe increasing susceptibility of Internet computer networks to security risks necessitates sensible and timely security measures. This is evident because many attackers focus on sensitive information, which attacks are designed to steal, modify, or destroy such information. Intrusions occur when an attacker gains unauthorized access to a system and transmits malicious packets, whereas attacks are unauthorized actions in the network or the transfer of malicious data (Amru et al. 2024). These are user errors, configuration mistakes, or bugs in software; in addition, malicious attackers can exploit multiple system weaknesses for more complex attacks. With global networks hosting vast online services and big servers, these systems become attractive targets for attackers. Effective intrusion detection systems (IDS) are therefore important to protect such networks. According to the 2020 Trustwave Global Security Report (T. Holdings, 2025), 50 percent of corporate networks had encounters with security incidents involving phishing and social engineering, while further impacts were incurred on e-commerce at 22%, cloud systems at 20%, and point-of-sale systems at 5%. In 2019, external activities were associated with 86% of intrusion events (Talukder et al. 2023).\u003c/p\u003e\u003cp\u003eIDS can be categorized as network-based (NIDS) or host-based (HIDS). NIDS monitors network traffic and connected devices to detect intrusions, while HIDS analyzes activities on individual devices, such as system calls, file modifications, and application logs (Satilmiş et al. 2024). IDS can also be classified by their analysis type: signature-based (SIDS) or anomaly-based (AIDS). SIDS relies on predefined signatures to identify threats, requiring an updated database of known attack patterns (Joraviya et al. 2024). Wherein, AIDS models normal system behavior and alerts deviations beyond the established thresholds or when the behavior seems anomalous against learned norms. Comparing SIDS with anomaly-based IDS, it may be emphasized that while it effectively detects known threats through identifiable malware patterns, SIDS is inefficient with unknown and unpredictable attacks. Anomaly-based IDS, on the other hand, can determine unknown malware by evaluating data against learned behaviors and flagging suspicious activity (VeeraKumaran).\u003c/p\u003e\u003cp\u003eThe role of artificial intelligence (AI), especially machine learning (ML) and deep learning (DL), in IDS has increased quite prominently to allow intrusion detection. Advanced techniques by attackers, however, create some problems in network protection. Having the potential to infer patterns straight from specified inputs without any concrete algorithm (Alamin Talukder et al. 2024; Talukder et al. 2024), gives ML a very high usage in the development of IDS. However, managing large and ever-growing data sets remains an open issue in ML, data mining, and text mining (Bertoli et al. 2021; Apruzzese et al. 2022). In the context of internet-connected systems, ML-based IDSs are welcomed in terms of adaptation and anomaly modes of detection, but must evolve rapidly to combat emerging security threats.\u003c/p\u003e\u003cp\u003eThis research proposes a new intrusion detection model, Cost-Sensitive Forest (CS-Forest), that combines ensemble learning through Random Forests with cost-sensitive learning concepts to improve the identification of rare and minority-class attacks. Tested on the NSL-KDD dataset, the CS-Forest model shows better performance compared to renowned machine learning models, such as Average One Dependency Estimator (A1DE), K-nearest Neighbor (KNN), Na\u0026iuml;ve Bayes (NB), Support Vector Machine (SVM), and traditional Random Forest (RF). Performance is evaluated based on key performance metrics like Kappa Statistics (KS), Mean Absolute Error (MAE), precision, recall, F-measure, Mathew's Correlation Coefficient (MCC), and accuracy. The model reduces the false positives and false negatives efficiently while retaining good overall detection ability, which helps in the development of more robust and efficient intrusion detection systems.\u003c/p\u003e\u003cp\u003eThe main objectives of this research study are to:\u003c/p\u003e\u003cp\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eCreate a new cost-sensitive ensemble model (CS-Forest) specific to NIDS, which effectively solves the class imbalance issue prevalent in intrusion detection data.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eImprove the detection accuracy of minority-class intrusions by incorporating cost-sensitive learning principles into decision tree building, thus minimizing false negatives and enhancing sensitivity to infrequent attack patterns.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eCompare the CS-Forest model proposed here with the standard classifiers like RF, KNN, A1DE, NB, and SVM using various evaluation metrics like accuracy, precision, recall, F-measure, KS-statistic, MAE, MCC, TPR, and FPR.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eProve the practical applicability of the CS-Forest model by verifying its performance on the NSL-KDD dataset, highlighting its superiority in intrusion detection with high accuracy and reliability and low false alarms.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/p\u003e\u003cp\u003eThis research makes several contributions to NID research. First, it proposes a new cost-sensitive ensemble learning model, CS-Forest, that is particularly aimed at handling the class imbalance issue prevalent in intrusion detection data sets. By using cost-sensitive learning techniques like weighted sampling and adjusted split criteria, the model effectively enhances minority-class intrusion detection, which tends to be ignored by conventional classifiers. Secondly, the CS-Forest model shows better performance on a broad range of evaluation measures such as KS-statistic, MCC, accuracy, precision, recall, F-measure, TPR, and FPR, thus proving its reliability and robustness in detecting both frequent and rare attack types. Third, the research presents a thorough comparative study against traditional models such as RF, KNN, A1DE, NB, and SVM, emphasizing the substantial gains achieved by CS-Forest in predictive accuracy as well as false positive reduction. Moreover, the model has a robust balance between classification stability and computational cost, which makes it deployable in real-time and resource-limited settings. Lastly, the study emphasizes the applicability of applying cost-sensitive learning in actual NIDS, providing a scalable and flexible solution to augment cybersecurity infrastructures.\u003c/p\u003e\u003cp\u003eThe rest of this study is organized as follows: Section 2, related literature review; Section 3, proposed methodology; Section 4, analysis and discussion of the results; and Section 5, conclusion of the study.\u003c/p\u003e"},{"header":"2. Literature Study","content":"\u003cp\u003eIn recent years, researchers have become more interested in the amalgamation of ML techniques and intrusion detection systems for improved network attack detection. For example, the authors of (Amor et al. 2004) discuss how the Naive Bayes algorithm is a very effective technique at detecting network anomalies if pitted against the traditional decision tree approach commonly used in ML. Similarly, work in (Tao et al. 2018) implemented a support vector machine with the genetic algorithm for optimization of feature selection parameter tuning and weighing. This eventually enhances network attack accuracy. In (Ren et al. 2019), a multi-level approach utilizes the random forest model; therefore, better differentiation of anomalous network behaviors will be achieved. Ref. (Shapoorifard and Shamsinejad 2017) presented a K-means clustering implementation, which is used in improving the classification of KNN. In addition, a new approach proposed in (Kim et al. 2014) is presented. Here, network data was divided into subsets by using C4.5 decision tree algorithms and applying multiple SVM models on subsets, and the reduction in computational complexity and detection of unknown attacks improved many times. Typically, traditional approaches to ML need huge feature engineering, which is computationally expensive and would limit the ability to detect simple deep features.\u003c/p\u003e\u003cp\u003eTo address these challenges, many researchers are shifting towards DL methods in hopes of being able to directly input network traffic data into models and bypass the feature selection phase. For example, the authors in (Zhao et al. 2017) propose a model that combines deep belief networks (DBNs) with probabilistic neural networks (PNNs), where DBNs are utilized for dimensionality reduction, and PNNs are used for classification, outperforming traditional PNN-based methods. In (Wang et al. 2017), an image-based detection scheme utilizing CNNs is proposed: traffic data can be represented as images, hence making manual feature design unnecessary. Additionally, the study in (Torres et al. 2016) uses RNNs for Botnet anomaly detection, taking into account the fact that an RNN could exploit timing features well to improve classification accuracy.\u003c/p\u003e\u003cp\u003eJavaid et al. (Javaid et al. 2016) introduced a dynamic and efficient intrusion detection system using self-taught learning in conjunction with deep learning frameworks. The methodology consisted of a sparse auto-encoder along with multinomial logistic regression, tested on the NSL-KDD dataset. The results reported that the STL-based model achieved an accuracy of 88.38% for binary classification and 79.10% for multi-class classification. In a similar context, Shone et al. (Shone et al. 2018) present a supervised technique for feature learning that relies on a Non-Symmetric Deep Auto-encoder. Their model was tested with both the NSL-KDD and KDD Cup '99 datasets. It achieved an accuracy rate of 85.42% in the five-class classification task.\u003c/p\u003e\u003cp\u003eOther significant advancements in deep learning-based IDS could be found in the work of Yin et al. (Yin et al. 2017), who employ a recurrent neural network to classify intrusions. Their model took a 122-dimensional input and resulted in binary classification, achieving 83.28% for binary classification and 81.29% for five-class multi-classification on the NSL-KDD dataset. Wang et al. (Wang et al. 2018) proposed a representation learning method for intrusion detection that analyzes raw network activity data by using a convolutional neural network (CNN). Despite the new style, using 5 \u0026times; 5 filter sizes with 16 and 32 filters, the precision of the model is restricted by the low resolution of input image data. Table\u0026nbsp;\u003cspan refid=\"Tab1\" class=\"InternalRef\"\u003e1\u003c/span\u003e briefs the overall literature study.\u003c/p\u003e\u003cp\u003eResearchers (Zhang and Liu 2022) used Borderline-SMOTE to enhance the rare-class attack detection accuracy in IoT environments, which has addressed class imbalance problems. Another research study (Andresini et al. 2021) applied GANs to produce synthetic rare-class attack data for improving the CNN-based intrusion detection models. Researchers (Kumar and Sinha 2023) used WCGAN to develop rare-class attack samples, thus improving the XGBoost classifiers' recognition rates for rare-class intrusions. In addition, research (Yang et al. 2023) proposed the geometric Synthetic Minority Oversampling Technique, an optimized kernel density estimation algorithm, which obtains high multiclass classification accuracies of 86.39% and 99.94% on the NSL-KDD and N-BaIoT datasets, respectively. Several techniques, including interpolation, oversampling, and encoder-generated data, have been utilized to balance training sets and further enhance results. Traditional methods such as SMOTE (Alamin Talukder et al. 2022; Balla et al. 2023), Borderline-SMOTE, and ADASYN create synthetic samples by generating new instances along line segments connecting minority class instances (Lavanya and Rajalakshmi 2023).\u003c/p\u003e\u003cp\u003eDespite the several advancements in intrusion detection systems, there are some limitations in the methodologies used. For example, approaches like NB and RF models tend not to perform so well with large-dimensional data; as the size of the dataset gets larger, so does the likelihood of performance degrading. Some optimization techniques may be computationally expensive and sensitive to overfitting, including genetic algorithms, and hybrid models containing SVM or DT. Similar improvements in KNN by the clustering or partitioning methods are likely to offer low scalability and sensitivity to the choice of parameters. DL methods, promising as they are, have issues including high computational demand, overfitting, and poor generalization to unseen attacks. For instance, CNNs may be limited to the resolution of the input data, while RNNs may be unable to deal with long-range dependencies in high-dimensional data. Methods based on synthetic data generation, such as SMOTE, Borderline-SMOTE, ADASYN, and GAN-based methods, struggle to capture minority class characteristics with precision, possibly producing noisy or unrealistic samples that degrade model performance. Moreover, the computational expense of more complex methods, including WCGANs and geometric Synthetic Minority Oversampling Techniques, limits their wider usage. This will address the above limitations in improving the scalability, efficiency, and robustness of intrusion detection systems.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab1\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 1\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003eSummary of Recent Advancements in ML and DL-based Intrusion Detection Systems\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"3\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eAuthor and Reference\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eMain Contributions\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eField\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eN. Ben Amor, (Amor et al. 2004)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eUtilized Naive Bayes for network anomaly detection and compared it with decision trees.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eML\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eP. Tao, Z. Sun, (Tao et al. 2018)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eCombined genetic algorithm with SVM for optimized feature selection, parameter tuning, and weighting to enhance detection accuracy.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eML\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eJ. Ren, (Ren et al. 2019)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eProposed a multi-level random forest model to detect anomalous network behaviors.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eML\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eH. Shapoorifard, (Shapoorifard and Shamsinejad 2017)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eImproved KNN by integrating it with K-Means clustering to enhance detection accuracy.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eML\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eG. Kim, (Kim et al. 2014)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eIntroduced a hybrid approach using the C4.5 decision tree to partition data and SVM models to improve unknown attack detection.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eML\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eG. Zhao, (Zhao et al. 2017)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eDeveloped a hybrid model combining DBNs for dimensionality reduction and PNNs for classification, achieving higher accuracy.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eDL\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eW. Wang, (Wang et al. 2017)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eProposed a CNN-based detection method that represents traffic data as images, eliminating manual feature design.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eDL\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eP. Torres, (Torres et al. 2016)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eUsed RNNs to detect Botnet anomalies, leveraging timing features to improve classification accuracy.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eDL\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eA. Javaid, (Javaid et al. 2016)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eProposed an STL-based IDS using sparse auto-encoders with multinomial logistic regression, achieving high accuracy on NSL-KDD.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eDL\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eN. Shone, (Shone et al. 2018)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eIntroduced a supervised learning method using a Non-Symmetric Deep Auto-encoder, tested on NSL-KDD and KDD Cup '99 datasets.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eDL\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eC. Yin, (Yin et al. 2017)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eImplemented an RNN-based IDS, achieving significant accuracy on binary and multi-class classification on NSL-KDD.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eDL\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eY. Wang, (Wang et al. 2018)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eProposed a CNN-based representation learning method for intrusion detection using raw network activity data.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eDL\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eR. Zhang, (Zhang and Liu 2022)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eUsed Borderline-SMOTE to enhance rare-class attack detection accuracy in IoT environments, addressing class imbalance.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eML\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eG. Andresini, (Andresini et al. 2021)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eApplied GANs to generate synthetic rare-class attack data, improving CNN-based intrusion detection models.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eDL\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eV. Kumar, (Kumar and Sinha 2023)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eEmployed WCGAN to develop rare-class attack samples, boosting XGBoost classifiers' recognition rates for rare-class intrusions.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eDL\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eY, Yang, (Yang et al. 2023)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eProposed the geometric Synthetic Minority Oversampling Technique, achieving high multiclass classification accuracies on NSL-KDD and N-BaIoT datasets.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eML\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eM. Alamin, [\u003cspan citationid=\"CR27\" class=\"CitationRef\"\u003e27\u003c/span\u003e]\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eUsed traditional SMOTE to generate synthetic samples for class imbalance.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eML\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eA. Balla, [\u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e28\u003c/span\u003e]\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eEmployed Borderline-SMOTE to create synthetic samples for minority class detection.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eML\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eT. Lavanya, (Lavanya and Rajalakshmi 2023)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eUsed ADASYN to generate synthetic samples, improving the detection of rare class instances.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eDL\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e"},{"header":"3. Proposed Scheme","content":"\u003cp\u003eThis study tries to find out the predictability of network intrusions and their potential impact on systems and data. Although current intrusion detection models can be used to detect anomalies in network traffic, they still fail to prevent such anomalies and intrusions from causing damage (Choudhury and Bhowal 2015). Intrusion detection is very important to ensure system security because it can reduce the risks of data loss and corruption. These vulnerabilities must be addressed with urgency to minimize damage. The data set used in this paper is the updated NSL-KDD dataset of 2019, available at \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://www.unb.ca/cic/datasets/nsl.html\u003c/span\u003e\u003cspan address=\"https://www.unb.ca/cic/datasets/nsl.html\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e. Figure\u0026nbsp;\u003cspan refid=\"Fig1\" class=\"InternalRef\"\u003e1\u003c/span\u003e shows the general methodology and approach adopted for conducting this research. The experiments were done on a system with an Intel Core i7 CPU, 16GB of RAM, and the Windows operating system. All implementations were performed in Python 3.9 using Scikit-learn and other relevant ML libraries.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eSeparate datasets are used for training and testing machine learning models. The training dataset consists of 125,973 instances, of which 58,631 are anomaly records and 67,342 are normal records. The testing dataset consists of 22,544 instances. Both datasets consist of 42 features, with one of the features being a class attribute that labels whether a record is normal or abnormal. The classes and ranges of the NSL-KDD dataset are shown in Table\u0026nbsp;\u003cspan refid=\"Tab1\" class=\"InternalRef\"\u003e1\u003c/span\u003e. Of the 42 features, one is for a class attribute, while the remaining 41 fall into four categories described as follows:\u003c/p\u003e\u003cp\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eBasic (B) features: Features of individual TCP connections.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eContent (C) features: Features derived from domain knowledge about particular relationships.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eTraffic (T) features: Measured over a two-second time window.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eHost (H) features: Metrics that aim at measuring attacks that linger for more than two seconds.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab2\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 2\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003eClasses and Feature Categories of the NSL-KDD Dataset\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"4\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eS No\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eLabel\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eAttribute\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003eValue Range\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eB\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eduration\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eB\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eprotocol type\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003etcp, udp, icmp\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e3\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eB\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eservice\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003ecourier, aol, bgp, ctf, auth, csnet_ns, discard, domain, domain_u, echo, eco_i, ecr_i, efs, daytime, finger, ftp, gopher, ftp_data, exec, harvest, hostnames, http, http_2784, http_8001, http_443, imap4, iso_tsap, IRC, kshell, klogin, login, ldap, link, mtp, name, netbios_dgm, netbios_ns, netbios_ssn, netstat, nnsp, nntp, ntp_u, other, pm_dump, pop_2, pop_3, printer, private, red_i, remote_job, rje, shell, smtp, sql_net, ssh, sunrpc, supdup, systat, telnet, tftp_u, tim_i, time, urh_i, urp_i, uucp, uucp_path, vmnet, whois, X11, Z39_50\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e4\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eB\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eflag\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eoth, rej, rsto, rstos0, rstr, s0, s1, s2, s3, sf, sh\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e5\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eB\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003edst_bytes\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e6\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eB\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003esrc_bytes\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e7\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eB\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003ewrong_fragment\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e8\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eB\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eland\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e0, 1\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e9\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eB\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eurgent\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e10\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eH\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003edst_host_count\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e11\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eH\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003edst_host_same_srv_rate\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e12\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eH\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003edst_host_srv_count\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e13\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eH\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003edst_host_same_src_port_rate\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e14\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eH\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003edst_host_serror_rate\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e15\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eH\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003edst_host_diff_srv_rate\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e16\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eH\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003edst_host_rerror_rate\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e17\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eH\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003edst_host_srv_diff_host_rate\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e18\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eH\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003edst_host_ressor_rate\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e19\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eH\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003edst_host_srv_serror_rate\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e20\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003ehot\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e21\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eis_guest_login\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e0, 1\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e22\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eis_host_login\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e0, 1\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e23\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003elogged_in\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e0, 1\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e24\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003enum_field_login\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e25\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003enum_compromised\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e26\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003esu_attempted\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e27\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eroot_shell\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e28\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003enum_file_creations\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e29\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003enum_root\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e30\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003enum_access_files\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e31\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003enum_shells\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e32\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eC\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003enum_outbound_cmds\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e33\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eT\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003esrv_diff_host_rate\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e34\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eT\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003esrv_count\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e35\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eT\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003ecount\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e36\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eT\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003esrv_serror_rate\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e37\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eT\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eserror_rate\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e38\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eT\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003esrv_rerror_rate\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e39\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eT\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003ererror_rate\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e40\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eT\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003ediff_srv_rate\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e41\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eT\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003esame_srv_rate\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eReal-data\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e42\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e-\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eclass\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003enormal, anomaly\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cdiv id=\"Sec4\" class=\"Section2\"\u003e\u003ch2\u003e3.1 Model Evaluation and Comparison\u003c/h2\u003e\u003cp\u003eAny intelligent model may be compared using several evaluation metrics, depending on particular assessment criteria. However, in this study, we employed two different types of evaluation measures:\u003c/p\u003e\u003cp\u003e\u003col\u003e\u003cspan\u003e\u003cli\u003e\u003cp\u003eTo assess the error rate of each utilized model, which is also an important factor in the evaluation of intelligence models, and\u003c/p\u003e\u003c/li\u003e\u003c/span\u003e\u003cspan\u003e\u003cli\u003e\u003cp\u003eTo assess the precision of each model.\u003c/p\u003e\u003c/li\u003e\u003c/span\u003e\u003c/ol\u003e\u003c/p\u003e\u003cp\u003eTwo measurements are employed to assess the error rate:\u003c/p\u003e\u003cp\u003e\u003cb\u003eKS\u003c/b\u003e is used to measure the degree of agreement between two raters or classifiers beyond that which would be expected by chance (Deist et al. 2018).\u003cdiv id=\"Equ1\" class=\"Equation\"\u003e\u003cdiv format=\"TEX\" class=\"mathdisplay\" id=\"FileID_Equ1\" name=\"EquationSource\"\u003e\n$$\\:KS=\\:\\frac{{P}_{o}-\\:{P}_{e}}{1-\\:{P}_{e}}$$\u003c/div\u003e\u003cdiv class=\"EquationNumber\"\u003e1\u003c/div\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eWhere, \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{P}_{o}\\)\u003c/span\u003e\u003c/span\u003e Observed agreement (the proportion of times the raters agree), and \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{P}_{e}\\)\u003c/span\u003e\u003c/span\u003e expected agreement (the proportion of agreement expected by chance).\u003c/p\u003e\u003cp\u003e\u003cb\u003eMAE\u003c/b\u003e is used to measure the mean absolute error between paired observations that express the same attributes (Khan et al. 2020),\u003cdiv id=\"Equ2\" class=\"Equation\"\u003e\u003cdiv format=\"TEX\" class=\"mathdisplay\" id=\"FileID_Equ2\" name=\"EquationSource\"\u003e\n$$\\:\\text{M}\\text{A}\\text{E}=\\frac{1}{\\text{n}}\\sum\\:_{\\text{i}=1}^{\\text{n}}\\left|{\\text{x}}_{\\text{i}}-\\text{x}\\right|$$\u003c/div\u003e\u003cdiv class=\"EquationNumber\"\u003e2\u003c/div\u003e\u003c/div\u003e.\u003c/p\u003e\u003cp\u003eWhere:\u003c/p\u003e\u003cp\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003en\u0026thinsp;=\u0026thinsp;the number of errors,\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e|xi \u0026ndash; x| = the absolute errors,\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eΣ\u0026thinsp;=\u0026thinsp;summation symbol (which means \u0026ldquo;add them all up\u0026rdquo;),\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/p\u003e\u003cp\u003eFor the assessment of precision, different measures are used, including F-measure, Recall, Precision, MCC, and Accuracy.\u003c/p\u003e\u003cp\u003e\u003cb\u003ePrecision\u003c/b\u003e and \u003cb\u003eRecall\u003c/b\u003e are useful for measuring the success of a predictor in unbalanced classes. Precision is the measure of relevancy in the results, and recall is the measure of truly relevant returned results (Naseem et al. 2020b),\u003cdiv id=\"Equ3\" class=\"Equation\"\u003e\u003cdiv format=\"TEX\" class=\"mathdisplay\" id=\"FileID_Equ3\" name=\"EquationSource\"\u003e\n$$\\:\\text{P}\\text{r}\\text{e}\\text{c}\\text{i}\\text{s}\\text{i}\\text{o}\\text{n}=\\text{T}\\text{P}/(\\text{T}\\text{P}+\\text{F}\\text{P})$$\u003c/div\u003e\u003cdiv class=\"EquationNumber\"\u003e3\u003c/div\u003e\u003c/div\u003e,\u003cdiv id=\"Equ4\" class=\"Equation\"\u003e\u003cdiv format=\"TEX\" class=\"mathdisplay\" id=\"FileID_Equ4\" name=\"EquationSource\"\u003e\n$$\\:\\text{R}\\text{e}\\text{c}\\text{a}\\text{l}\\text{l}=\\text{T}\\text{P}/(\\text{T}\\text{P}+\\text{F}\\text{N})$$\u003c/div\u003e\u003cdiv class=\"EquationNumber\"\u003e4\u003c/div\u003e\u003c/div\u003e.\u003c/p\u003e\u003cp\u003e\u003cb\u003eF-measure\u003c/b\u003e computes the predictor accuracy by taking a weighted average of precision and recall as (Subasi and Kremic 2020),\u003cdiv id=\"Equ5\" class=\"Equation\"\u003e\u003cdiv format=\"TEX\" class=\"mathdisplay\" id=\"FileID_Equ5\" name=\"EquationSource\"\u003e\n$$\\:\\text{F}=\\frac{\\text{T}\\text{P}}{\\text{T}\\text{P}+\\frac{1}{2}(\\text{F}\\text{P}+\\text{F}\\text{N})}$$\u003c/div\u003e\u003cdiv class=\"EquationNumber\"\u003e5\u003c/div\u003e\u003c/div\u003e.\u003c/p\u003e\u003cp\u003e\u003cb\u003eMCC\u003c/b\u003e measures the quality through binary classifiers as [\u003cspan citationid=\"CR31\" class=\"CitationRef\"\u003e31\u003c/span\u003e] [\u003cspan citationid=\"CR33\" class=\"CitationRef\"\u003e33\u003c/span\u003e],\u003cdiv id=\"Equ6\" class=\"Equation\"\u003e\u003cdiv format=\"TEX\" class=\"mathdisplay\" id=\"FileID_Equ6\" name=\"EquationSource\"\u003e\n$$\\:\\text{M}\\text{C}\\text{C}=\\frac{\\text{T}\\text{P}\\text{x}\\text{T}\\text{N}-\\text{F}\\text{P}\\text{x}\\text{F}\\text{N}}{\\sqrt{(\\text{T}\\text{P}+\\text{F}\\text{P})(\\text{T}\\text{P}+\\text{F}\\text{N})(\\text{T}\\text{N}+\\text{F}\\text{P})(\\text{T}\\text{N}+\\text{F}\\text{N})}}$$\u003c/div\u003e\u003cdiv class=\"EquationNumber\"\u003e6\u003c/div\u003e\u003c/div\u003e.\u003c/p\u003e\u003cp\u003e\u003cb\u003eAccuracy\u003c/b\u003e is the measure of how much the forecast is accurate and can be calculated as:\u003cdiv id=\"Equ7\" class=\"Equation\"\u003e\u003cdiv format=\"TEX\" class=\"mathdisplay\" id=\"FileID_Equ7\" name=\"EquationSource\"\u003e\n$$\\:\\text{A}\\text{c}\\text{c}\\text{u}\\text{r}\\text{a}\\text{c}\\text{y}=\\:\\frac{\\text{T}\\text{P}+\\text{T}\\text{N}}{\\text{T}\\text{P}+\\text{T}\\text{N}+\\text{F}\\text{P}+\\text{F}\\text{N}}$$\u003c/div\u003e\u003cdiv class=\"EquationNumber\"\u003e7\u003c/div\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eWhere TP is the situations where the projected \"yes\" was correct (predict real intrusion), TN is expected a \"no\" (they are not the intrusion), FP anticipated the \"yes,\" but they are not the intruders (This is sometimes mentioned to as a \"Type I error\"), and FN expected \"no,\" yet they are the intruders. (This is often mentioned as a \"Type II error.\")\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec5\" class=\"Section2\"\u003e\u003ch2\u003e3.2 Proposed CS-Forest Model\u003c/h2\u003e\u003cp\u003eCS-Forest (Cost-Sensitive Forest) is an advanced ensemble learning approach specially designed for dealing with imbalanced datasets, incorporating cost-sensitive learning principles into traditional ensemble methods like RF (Siers and Islam 2014). CS-Forest emphasizes reducing the problem of class imbalance, as in many intrusion detection datasets, attacks or minority class are far less frequent than normal activity, or the majority class, and a higher cost is assigned for misclassifications of instances in the minority class to enhance the detection of the critical cases. The model depends on decision trees as base learners, but with a cost-sensitive approach during both sampling and training. In weighted sampling, minority-class instances get over-sampled or assigned higher weights to balance their influence. The weight for each instance \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{w}_{i}\\)\u003c/span\u003e\u003c/span\u003e is defined as:\u003cdiv id=\"Equ8\" class=\"Equation\"\u003e\u003cdiv format=\"TEX\" class=\"mathdisplay\" id=\"FileID_Equ8\" name=\"EquationSource\"\u003e\n$$\\:{w}_{i}=\\left\\{\\begin{array}{c}{w}_{min}=\\:\\frac{N}{2\\cdot\\:{N}_{min}}\\:\\:\\:if\\:{y}_{i}=minority\\:class,\\\\\\:{w}_{maj}=\\:\\frac{N}{2\\cdot\\:{N}_{maj}}\\:\\:\\:if\\:{y}_{i}=majority\\:class,\\end{array}\\right.$$\u003c/div\u003e\u003cdiv class=\"EquationNumber\"\u003e8\u003c/div\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003ewhere \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:n\\)\u003c/span\u003e\u003c/span\u003e is the total number of samples, \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{N}_{min}\\)\u003c/span\u003e\u003c/span\u003e is the number of minority-class samples, and \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{N}_{maj}\\)\u003c/span\u003e\u003c/span\u003e is the number that denotes the majority-class samples. This, in turn, ensures that minority-class instances have more influence during tree building. The splitting criterion in each tree is tuned concerning costs. For instance, a cost-sensitive definition of Gini impurity is as follows:\u003cdiv id=\"Equ9\" class=\"Equation\"\u003e\u003cdiv format=\"TEX\" class=\"mathdisplay\" id=\"FileID_Equ9\" name=\"EquationSource\"\u003e\n$$\\:△{G}_{cost}=\\:\\sum\\:_{c\\in\\:\\left\\{classes\\right\\}}{w}_{c}\\cdot\\:\\:{p}_{c}\\left(1-{p}_{c}\\right),$$\u003c/div\u003e\u003cdiv class=\"EquationNumber\"\u003e9\u003c/div\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003ewhere \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{w}_{c}\\)\u003c/span\u003e\u003c/span\u003e is the cost weight for class \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:c\\)\u003c/span\u003e\u003c/span\u003e, and \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{p}_{c}\\)\u003c/span\u003e\u003c/span\u003e The probability of class \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:c\\)\u003c/span\u003e\u003c/span\u003e in the split. This modification prefers splits that have a higher improvement on the minority-class instances than the majority-class instances.\u003c/p\u003e\u003cp\u003eDuring ensemble aggregation, the predictions of individual trees are combined through weighted majority voting. The final prediction for an instance \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:x\\)\u003c/span\u003e\u003c/span\u003e is given by:\u003cdiv id=\"Equ10\" class=\"Equation\"\u003e\u003cdiv format=\"TEX\" class=\"mathdisplay\" id=\"FileID_Equ10\" name=\"EquationSource\"\u003e\n$$\\:\\widehat{y}\\left(x\\right)=\\:\\underset{c}{\\text{argmax}}\\sum\\:_{t=1}^{T}\\mathbb{I}({t}_{t}\\left(x\\right)=c)\\cdot\\:{w}_{c},$$\u003c/div\u003e\u003cdiv class=\"EquationNumber\"\u003e10\u003c/div\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003ewhere \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:T\\)\u003c/span\u003e\u003c/span\u003e is the number of trees, \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{h}_{t}\\left(x\\right)\\)\u003c/span\u003e\u003c/span\u003e is the prediction from the t-th tree, \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:\\mathbb{I}\\)\u003c/span\u003e\u003c/span\u003e is an indicator function, and \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{w}_{c}\\)\u003c/span\u003e\u003c/span\u003e is the cost weight for class \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:c\\)\u003c/span\u003e\u003c/span\u003e. This ensures that the final prediction incorporates the cost sensitivity learned during training.\u003c/p\u003e\u003cp\u003eCS-Forest reduces false negatives by overemphasizing minority-class predictions, which makes it particularly effective for intrusion detection applications. Its ensemble-based nature is noise and overfitting robustness, and cost-sensitive adjustments make it capable of hunting for rare patterns that are critical. Proper fine-tuning of a cost matrix is very important to optimize the model for that particular dataset and the requirements of the task. Algorithm 1 technically shows how the CS-Forest in this study is used for the NID.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Taba\" border=\"1\"\u003e\u003ccolgroup cols=\"1\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eAlgorithm 1: CS-Forest Model Algorithm for Network Intrusion Detection\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eInput\u003c/b\u003e:\u003c/p\u003e\u003cp\u003e\u0026bull; \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:D={\\left\\{\\right({x}_{i},\\:{y}_{i}\\left)\\right\\}}_{i=1}^{N}:Dataset\\:with\\:N\\:samples\\)\u003c/span\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u0026bull; \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:T:Number\\:of\\:trees.\\)\u003c/span\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u0026bull; \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:CostMatric=\\{{C}_{FP},\\:{C}_{FN}\\}\\)\u003c/span\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003eOutput\u003c/b\u003e:\u003c/p\u003e\u003cp\u003eTrained CS-Forest model\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e\u003cb\u003eSteps\u003c/b\u003e:\u003c/p\u003e\u003cp\u003e1. Initialize the weights for all samples:\u003c/p\u003e\u003cp\u003e\u003cb\u003eFor\u003c/b\u003e each sample \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:\\left({x}_{i},\\:{y}_{i}\\right)\\in\\:D:\\)\u003c/span\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003eIf\u003c/b\u003e \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{y}_{i}=minorty\\:class\\)\u003c/span\u003e\u003c/span\u003e (intrusion)\u003c/p\u003e\u003cp\u003e\u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{w}_{i}\\leftarrow\\:\\frac{N}{\\left(2*\\:{N}_{min}\\right)}\\)\u003c/span\u003e\u003c/span\u003e (11)\u003c/p\u003e\u003cp\u003e\u003cb\u003eElse\u003c/b\u003e:\u003c/p\u003e\u003cp\u003e\u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{w}_{i}\\leftarrow\\:\\frac{N}{\\left(2*\\:{N}_{maj}\\right)}\\)\u003c/span\u003e\u003c/span\u003e (12)\u003c/p\u003e\u003cp\u003e2. \u003cb\u003eFor\u003c/b\u003e \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:t=1\\)\u003c/span\u003e\u003c/span\u003e to \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:T\\)\u003c/span\u003e\u003c/span\u003e: //Train T trees\u003c/p\u003e\u003cp\u003ea. Generate a weighted bootstrap sample \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{D}_{t}\\)\u003c/span\u003e\u003c/span\u003e from \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:D\\)\u003c/span\u003e\u003c/span\u003e using \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{w}_{i}\\)\u003c/span\u003e\u003c/span\u003e.\u003c/p\u003e\u003cp\u003eb. Train a decision tree \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{h}_{t}\\)\u003c/span\u003e\u003c/span\u003e on \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{D}_{t}\\)\u003c/span\u003e\u003c/span\u003e:\u003c/p\u003e\u003cp\u003ei. At each node, calculate the cost-sensitive split:\u003c/p\u003e\u003cp\u003e\u003cb\u003eFor\u003c/b\u003e each split \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:S\\)\u003c/span\u003e\u003c/span\u003e:\u003c/p\u003e\u003cp\u003eCompute \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:△{G}_{cost}=\\:\\sum\\:_{c\\in\\:\\left\\{classes\\right\\}}{w}_{c}\\cdot\\:\\:{p}_{c}\\left(1-{p}_{c}\\right),\\)\u003c/span\u003e\u003c/span\u003e (13)\u003c/p\u003e\u003cp\u003eii. Select the split \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{S}^{*}\\)\u003c/span\u003e\u003c/span\u003e with the maximum \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:△{G}_{cost}\\)\u003c/span\u003e\u003c/span\u003e.\u003c/p\u003e\u003cp\u003e\u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{S}^{*}=\\underset{c}{\\text{a}\\text{r}\\text{g}\\text{m}\\text{a}\\text{x}}△{G}_{cost}\\left(S\\right)\\)\u003c/span\u003e\u003c/span\u003e. (14)\u003c/p\u003e\u003cp\u003eiii. Repeat until the tree grows to full depth or the stopping criteria are met.\u003c/p\u003e\u003cp\u003e3. Aggregate prediction from all trees:\u003c/p\u003e\u003cp\u003e\u003cb\u003eFor\u003c/b\u003e each sample \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:x\\)\u003c/span\u003e\u003c/span\u003e in the test set:\u003c/p\u003e\u003cp\u003e\u003cb\u003eInitialize\u003c/b\u003e \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:votes\\left[c\\right]\\:\\leftarrow\\:0\\)\u003c/span\u003e\u003c/span\u003e for each class \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:c\\)\u003c/span\u003e\u003c/span\u003e.\u003c/p\u003e\u003cp\u003e\u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:votes\\left[c\\right]=0,\\:\\forall\\:c\\in\\:classes\\)\u003c/span\u003e\u003c/span\u003e.\u003c/p\u003e\u003cp\u003e\u003cb\u003eFor\u003c/b\u003e \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:t=1\\)\u003c/span\u003e\u003c/span\u003e to \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:T\\)\u003c/span\u003e\u003c/span\u003e:\u003c/p\u003e\u003cp\u003ePredicted class \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:{h}_{t}\\left(x\\right)\\leftarrow\\:class\\)\u003c/span\u003e\u003c/span\u003e label from tree \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:t\\)\u003c/span\u003e\u003c/span\u003e.\u003c/p\u003e\u003cp\u003e\u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:votes\\left[{h}_{t}\\left(x\\right)\\right]\\leftarrow\\:votes\\left[{h}_{t}\\left(x\\right)\\right]+{w}_{c}\\)\u003c/span\u003e\u003c/span\u003e//Add class weight.\u003c/p\u003e\u003cp\u003eFinal prediction for \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:x\\)\u003c/span\u003e\u003c/span\u003e:\u003c/p\u003e\u003cp\u003e\u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:\\widehat{y}\\left(x\\right)\\leftarrow\\:\\underset{c}{\\text{argmax}}votes\\left[c\\right]\\)\u003c/span\u003e\u003c/span\u003e (15)\u003c/p\u003e\u003cp\u003e4. \u003cb\u003eReturn\u003c/b\u003e the ensemble \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:\\{{h}_{1},\\:{h}_{2},\\:\\dots\\:,\\:{h}_{t}\\}\\)\u003c/span\u003e\u003c/span\u003e.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eThe CS-Forest algorithm is a cost-sensitive ensemble method that would be especially effective in class imbalance scenarios, such as network intrusion detection. It first assigns weights to every sample based on class representation: higher weights for the minority-class samples to counterbalance their underrepresentation. Then, by using such weighted bootstrap samples for training, each decision tree within the ensemble is generated. At each node in the tree, splits are cost-sensitive using the impurity measure. \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:△{G}_{cost}\\)\u003c/span\u003e\u003c/span\u003e, which will incorporate class weights and probabilities, and thus favor splits that separate classes better. Trees are grown until stopping criteria, such as maximum depth, are met. During prediction, the ensemble aggregates outputs from all trees, making use of a weighted voting mechanism where votes are influenced by class weights. The class with the highest aggregated vote will determine the last prediction to ensure cost-sensitive and robust decision-making in imbalanced datasets.\u003c/p\u003e\u003cp\u003eThis cost-sensitive mechanism, within CS-Forest, balances the weight for the minority-class instances, giving more importance to these under-represented attacks in the learning phase. Here, a cost matrix is incorporated such that any misclassification in minority-class samples gets penalized with a larger penalty, prompting the model to prioritize these instances. The ensemble learning process then merges multiple decision trees, where one tree is used for training against a subset of the data based on balancing its class distribution. This ensemble can help to offset the problem that occurs with an imbalanced distribution of classes, increasing the detection power of rare or minority-class attacks.\u003c/p\u003e\u003cp\u003eFor both the proposed CS-Forest model and the comparison models. For CS-Forest, important hyperparameters were tuned to guarantee the robustness of the model. The number of trees in the ensemble was set between 50 and 200, and an optimal value of 150 was selected based on validation accuracy and error metrics. A cost-sensitive matrix was constructed to penalize the misclassification of minority-class attacks, with the weights determined empirically through grid search. The maximum depth of the trees was set to 20, to find a balance between computational efficiency and detection accuracy. For splitting, the Gini impurity criterion was used as it proved to be more effective in detecting rare attacks. Minimum samples per leaf were set to 2 to avoid over-complexity while still capturing critical decision boundaries. For the comparison models, specific hyperparameters were also carefully tuned. In A1DE, the equivalent sample size was optimized within the range of 1 to 10. For KNN, the number of neighbors varied between 3 and 15, with optimal results at 5 neighbors. The NB model, with limited tunable parameters, required no additional tuning. The Random Forest algorithm was used with 100 estimators, the maximum depth set at 20, and the Gini impurity was selected as the splitting criterion. SVM utilized a radial basis function kernel with a regularization parameter C optimized in the range 10\u003csup\u003e\u0026minus;\u0026thinsp;2\u003c/sup\u003e to 10\u003csup\u003e2\u003c/sup\u003e. In the kernel coefficient γ it was adjusted through grid search.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec6\" class=\"Section2\"\u003e\u003ch2\u003e3.3 Benchmarked Model\u003c/h2\u003e\u003cp\u003eThe performance of the proposed CS-Forest model is compared with standard benchmark models routinely used in previous studies. The comparison aims to assess the effectiveness, robustness, and overall utility of the proposed model in addressing class imbalance issues and improving predictive accuracy. By comparison with widely recognized models, the paper aims to reveal how much the CS-Forest algorithm contributes to progress made by focusing on its possibility of overcoming the difficulties of cost-sensitive learning and enabling applicability in real-world network intrusion detection. Table\u0026nbsp;\u003cspan refid=\"Tab2\" class=\"InternalRef\"\u003e2\u003c/span\u003e shows the list of employed benchmarked models.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab3\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 3\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003eList of Benchmark Models Used for Performance Comparison\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"2\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eModel\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eReferences\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eAverage One Dependency Estimator (A1DE)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e(Naseem et al. 2020c; Khan et al. 2021)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eSupport Vector Machine (SVM)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e(Mehr and Ramamurthy 2019; Chaabane et al. 2022)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eNa\u0026iuml;ve Bayes (NB)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e(Chen et al. 2016; Iqbal et al. 2019)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eK-nearest Neighbor (KNN)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e(Iqbal et al. 2019; Dini and Saponara 2021)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eRandom Forest (RF)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e(Alsaeedi and Khan 2019; Iqbal et al. 2019)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003c/div\u003e"},{"header":"4. Results Analysis and Discussion","content":"\u003cp\u003eThis study focuses on AI-based NIDS using the NSL-KDD dataset. To this end, the study proposes a CS-Forest model compared with standard models used in the recent past based on precision, F-measure, recall, accuracy, MAE, and KS. In NIDS, KS measures the agreement between the predicted and actual classifications concerning the possibility that the agreement occurred by chance. It can be very helpful on imbalanced datasets where the accuracy can be misleading. MAE evaluates how big, on average, the errors in predictions are, thus providing information on the model's precision, calculated as an absolute difference between predictions and actual labels. Together, these measures can give a complete estimation of classification performance as well as prediction correctness, thus supporting robust assessment of intrusion detection models. Figure\u0026nbsp;\u003cspan class=\"InternalRef\"\u003e2\u003c/span\u003e shows the analysis evaluated through KS and MAE. Analysis shows that the CS-Forest model demonstrates better performance. CS-Forest achieves the highest KS value (0.747), indicating significantly stronger agreement between predictions and actual outcomes compared to other models, such as RF (0.619) and KNN (0.579). While CS-Forest's MAE (0.207) is marginally higher than KNN (0.209) and RF (0.196), this slight trade-off in prediction error is outweighed by its better classification consistency, as reflected in the KS score. Results indicate that CS-Forest is the most reliable model in network intrusion detection, concerning strong classification agreement combined with competitive prediction precision.\u003c/p\u003e\n\u003cp\u003eFigure \u003cspan class=\"InternalRef\"\u003e3\u003c/span\u003e presents the true positive rate (TPR) and false positive rate (FPR) analysis of the proposed CS-Forest compared with other employed models. CS-Forest shows the highest value of TPR, 0.874; it correctly points out actual intrusions better than the others. Furthermore, this model has the lowest FPR, equal to 0.116, which also minimizes false alarms. These are the results that position CS-Forest as the most effective model for true and reliable intrusion detection. The RF follows with a strong TPR at 0.805 and a relatively low FPR at 0.155, hence becoming a competitive alternative for applications that accept slightly higher FPR. KNN and A1DE models show moderate performance, balanced by TPR and FPR, which is suitable for less critical scenarios. NB and SVM have the lowest TPRs and comparatively higher FPRs, indicating reduced efficacy to detect intrusion, along with an increased likelihood of false alarms, which limits the reliability in high-stakes environments.\u003c/p\u003e\n\u003cp\u003eFigure \u003cspan class=\"InternalRef\"\u003e4\u003c/span\u003e shows the analysis evaluated through precision, recall, and F-measure. The results show that CS-Forest is the better performer, boasting the highest values in terms of Precision at 0.88, Recall at 0.874, and F-measure value of 0.875, making it the most balanced model and effective intrusion classifier with fewer false positives and high sensitivity to the true intrusions. The RF ranks second with a strong Precision of 0.852, Recall of 0.805, and F-measure of 0.803. Therefore, it would be a suitable alternative for applications where performance slightly lower than perfect is tolerable. Similar to KNN and A1DE, the models have a good balance across metrics; they are thus appropriate for moderately critical scenarios. In contrast, NB and SVM provide lower F-measure values, amounting to 0.759 and 0.752, respectively, indicating less balanced performance and reduced effectiveness in cases when both precision and recall are demanded.\u003c/p\u003e\n\u003cp\u003eFigure \u003cspan class=\"InternalRef\"\u003e5\u003c/span\u003e compares the MCC of different models for NIDS. The CS-Forest model has the highest value, with an MCC equal to 0.751, which is substantially better than other models, including Random Forest (RF) at 0.658 and KNN at 0.621. Its performance could be attributed to the ability of CS-Forest to handle high-dimensional data and learn complicated patterns through ensemble learning techniques to enhance both generalization and detection accuracy. Although competitive, other models, like RF and KNN, are prone to overfitting or suboptimal feature use for complex datasets, limiting their MCC scores. This means that CS-Forest is more robust and suitable for NIDS.\u003c/p\u003e\n\u003cp\u003eFigure \u003cspan class=\"InternalRef\"\u003e6\u003c/span\u003e demonstrates the accuracy of different models for NIDS, where CS-Forest is found to be the most accurate model, at 87.41%, thus beating the rest by a significant margin. The second-best-performing model, RF, with an accuracy of 80.45%, displays a huge gap of almost 7 percentage points, which indicates that CS-Forest exhibits better predictive potential. Other models, like KNN at 78.29% and A1DE at 77.16%, are moderately accurate. Meanwhile, NB and SVM lag at 76.12% and 75.39% in accuracy, respectively. The increased accuracy of CS-Forest is due to its powerful ensemble learning mechanism. It makes use of optimized feature selection and voting strategies in deciding the best decision tree out of a multi-decision tree combination. Models like SVM and NB, based on weaker assumptions or single-layer decision boundaries, lack the complexity and the high dimensionality of NIDS data, and therefore suffer from comparatively lower performance. It means that CS-Forest is very efficient for making correct intrusion detection in complex situations.\u003c/p\u003e\n\u003cp\u003eThe cross-comparison of the models in Table\u0026nbsp;\u003cspan class=\"InternalRef\"\u003e4\u003c/span\u003e shows that the proposed CS-Forest model outperforms other models in accuracy. CS-Forest reached an accuracy of 87.41%, which significantly outperformed the second-best model, RF, by 6.96%, and showed even greater gaps with models like KNN 9.12%, A1DE 10.25%, NB 11.29%, and SVM 12.02%. This can be attributed to the ensemble mechanism in CS-Forest, in that decision trees are aggregated at an optimized level and have features of importance together with class correlations for increasing precision. Moreover, the forest of CS might exploit a sampling technique at the next level, improved techniques handling class imbalance, as well as robust optimization approaches crucial in detecting rare and subtle intrusion patterns in the network. In contrast, conventional models such as SVM and NB rely on easier assumptions and do not have the inherent ability to model sophisticated interactions in data. As much as RF can exhibit good performance due to an ensemble approach, CS-Forest further refines the same by using tailored approaches for tree building and voting mechanisms specific to network intrusion detection, making it the best model in this work.\u003c/p\u003e\n\u003cdiv class=\"gridtable\"\u003e\n\u003cdiv class=\"colspec\" align=\"left\"\u003e\u0026nbsp;\u003c/div\u003e\n\u003ctable id=\"Tab4\" border=\"1\"\u003e\u003ccaption\u003e\n\u003cdiv class=\"CaptionNumber\"\u003eTable 4\u003c/div\u003e\n\u003cdiv class=\"CaptionContent\"\u003e\n\u003cp\u003eCross-comparison of Employed Model Accuracies for NIDS\u003c/p\u003e\n\u003c/div\u003e\n\u003c/caption\u003e\n\u003cthead\u003e\n\u003ctr\u003e\n\u003cth align=\"left\"\u003e\n\u003cp\u003eModel\u003c/p\u003e\n\u003c/th\u003e\n\u003cth align=\"left\"\u003e\n\u003cp\u003eSVM\u003c/p\u003e\n\u003c/th\u003e\n\u003cth align=\"left\"\u003e\n\u003cp\u003eNB\u003c/p\u003e\n\u003c/th\u003e\n\u003cth align=\"left\"\u003e\n\u003cp\u003eA1DE\u003c/p\u003e\n\u003c/th\u003e\n\u003cth align=\"left\"\u003e\n\u003cp\u003eKNN\u003c/p\u003e\n\u003c/th\u003e\n\u003cth align=\"left\"\u003e\n\u003cp\u003eRF\u003c/p\u003e\n\u003c/th\u003e\n\u003cth align=\"left\"\u003e\n\u003cp\u003eCS-Forest\u003c/p\u003e\n\u003c/th\u003e\n\u003c/tr\u003e\n\u003c/thead\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e\u003cstrong\u003eSVM\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e---\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e+\u0026thinsp;0.73\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e+\u0026thinsp;1.77\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e+\u0026thinsp;2.90\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e+\u0026thinsp;5.06\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e+\u0026thinsp;12.02\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e\u003cstrong\u003eNB\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e-0.73\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e---\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e+\u0026thinsp;1.04\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e+\u0026thinsp;2.17\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e+\u0026thinsp;4.33\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e+\u0026thinsp;11.29\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e\u003cstrong\u003eA1DE\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e-1.77\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e-1.04\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e---\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e+\u0026thinsp;1.13\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e+\u0026thinsp;3.29\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e+\u0026thinsp;10.25\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e\u003cstrong\u003eKNN\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e-2.90\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e-2.17\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e-1.13\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e---\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e+\u0026thinsp;2.16\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e+\u0026thinsp;9.12\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e\u003cstrong\u003eRF\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e-5.06\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e-4.33\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e-3.29\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e-2.16\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e---\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e+\u0026thinsp;6.96\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e\u003cstrong\u003eCS-Forest\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e-12.02\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e-11.29\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e-10.25\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e-9.12\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e-6.96\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd align=\"left\"\u003e\n\u003cp\u003e---\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\u003c/div\u003e\n\u003cp\u003eThe CS-Forest model proposes to overcome the major limitations in existing intrusion detection systems by addressing the class imbalance, commonly found in network intrusion datasets. Traditional models of this genre fail to correctly classify the minority-class instances, causing high false negatives and thereby reducing the impact of intrusion detection. Under cost-sensitive learning principles, underrepresented classes are assigned heavier misclassification penalties, enhancing the detection of rare attack patterns through CS-Forest. This is done using weighted sampling and cost-sensitive split criteria, which prefer the detection of minority-class samples. In addition, the ensemble-based approach of CS-Forest increases its resistance to noise and overfitting, which can be reliable in real-world applications. The model's fine-tuning cost matrices further allow adaptability, making the optimization dependent on the specific dataset characteristics and task requirements for a more precise and effective solution. Moreover, CS-Forest improves computational efficiency using lightweight decision tree ensembles and is thus applicable to real-time intrusion detection in resource-constrained environments. Combining improved minority-class detection, computational efficiency, and adaptability, CS-Forest is a robust solution to the challenges facing network intrusion detection today.\u003c/p\u003e\n\u003cp\u003eDespite the promising results of the proposed CS-Forest model for network intrusion detection, there are several limitations in this study. The performance of the model is heavily dependent on the quality and representativeness of the NSL-KDD dataset, which may not fully capture the wide variety of modern intrusion techniques or real-world network environments. In addition, although the CS-Forest model adequately deals with the class imbalance issue by adopting cost-sensitive learning, the performance may drop when facing highly complex or evolving patterns of attacks not well presented in the training data. Moreover, because the decision tree is a base learner of the model, it may be unable to model sophisticated patterns as it could with more complex models, such as DL.\u003c/p\u003e\n\u003cdiv id=\"Sec8\" class=\"Section2\"\u003e\n\u003ch2\u003e4.1 Discussion\u003c/h2\u003e\n\u003cp\u003eThe improved performance of the proposed CS-Forest model over the conventional machine learning classifiers (e.g., SVM, NB, KNN, A1DE, RF) in the network intrusion detection area can be attributed to the synergistic effects of a combination of a few significant technical advancements and architectural improvements specifically addressing the difficulties embedded in network intrusion datasets, specifically class imbalance, high-dimensional data, and dynamic attack patterns.\u003c/p\u003e\n\u003cstrong\u003ea. Cost-Sensitive Learning Strategy\u003c/strong\u003e: The foundation of CS-Forest's strength is rooted in its cost-sensitive mechanism that incurs increased misclassification penalty for minority-class samples (rare and worse attack types). On the contrary, traditional algorithms such as SVM, NB, and even RF employ either a uniform cost matrix or class-neutral loss functions. This makes these models biased towards the majority classes at the expense of poor detection against underrepresented attacks. By incorporating cost-sensitive weighting during both the training and decision-making phases, CS-Forest ensures that rare attacks are not ignored, substantially reducing false negatives for minority classes.\n\u003cp\u003e\u003cstrong\u003eb. Ensemble-Based Architecture\u003c/strong\u003e: In contrast to single learner models such as SVM and NB, CS-Forest uses ensemble learning with an optimized sequence of decision trees. Each is trained using weighted sampling and class-aware splitting rules, allowing the ensemble to learn diverse and complementary decision boundaries. This not only enhances generalization but also suppresses variance and overfitting, the usual pitfalls in models such as KNN and RF when presented with high-dimensional and noisy intrusion data.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003ec. High-Dimensional Feature Handling\u003c/strong\u003e: Intrusion detection datasets such as NSL-KDD contain high-dimensional feature spaces with many redundant or irrelevant features. CS-Forest, by its cost-sensitive tree construction and ensemble voting process, implicitly picks more discriminative features at splits, thus filtering out noise and emphasizing the most important features. In contrast, models such as NB rely on conditional independence assumptions, while SVM doesn't have built-in feature selection, so they are less suitable for such noisy, high-dimensional environments.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003ed. Robustness to Class Imbalance and Overfitting\u003c/strong\u003e: The CS-Forest model is immune to the high class imbalance often found in NIDS data. Although RF makes use of ensemble learning, its uniform sampling and voting approach is not optimal for underrepresented attack classes. CS-Forest optimizes this using cost-sensitive voting, where trees trained on minority-class data proportionally have a greater impact. Additionally, penalization mechanisms are used in the split criteria selection, essentially regularizing the learning process and lowering overfitting on major classes.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003ee. Consistent Performance Across Evaluation Metrics\u003c/strong\u003e: Empirical results from the analysis validate the dominance of the CS-Forest model using various evaluation metrics. The Kolmogorov\u0026ndash;Smirnov (KS) value of 0.747 and the Matthews Correlation Coefficient (MCC) of 0.751 indicate the robust classification agreement and balanced predictive strength of the model, especially under imbalanced class distributions. Furthermore, CS-Forest has a precision rate of 0.88, a recall rate of 0.874, and an F-measure of 0.875, proving highly sensitive and specific, as is required to guarantee both precise and sound intrusion detections. The model also reflects an overall accuracy rate of 87.41%, performing much better than other classifiers, namely, Random Forest, which performs about 7% behind. In addition, the true positive rate (0.874) and false positive rate (0.116) confirm the model's efficacy in intrusion detection while maintaining false alarms to a bare minimum, an essential prerequisite for real-world deployment in security-critical environments.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003ef. Scalability and Real-Time Applicability\u003c/strong\u003e: The application of light decision tree structures renders CS-Forest computationally efficient, particularly against deep models or kernel-based SVMs. Such scalability renders it a viable option for real-time NIDS deployment, particularly in resource-limited environments such as edge devices or embedded security appliances.\u003c/p\u003e\n\u003c/div\u003e"},{"header":"5. Conclusion","content":"\u003cp\u003eThe study proposes a novel cost-sensitive decision tree ensemble model known as CS-Forest, intended to improve the detection of minority-class intrusions in intrusion detection systems. This approach reduces the false positive and false negative rates by addressing the imbalance in the distributions of the attack classes. Detailed tests on the NSL-KDD dataset show that CS-Forest outperforms all others by gaining a detection accuracy of 87.41%, and it even outperformed the underrepresented attack classes against the traditional models A1DE, KNN, NB, RF, and SVM. The proposed model uses a cost-sensitive approach towards decision tree learning, which robustly performs over all classes of attacks. These results confirm the real-world applicability of CS-Forest in practical IDS implementations, providing an efficient solution to enhance network security. The findings presented in this paper confirm the claims made and contribute to the advancement of IDS research by addressing critical challenges in intrusion detection.\u003c/p\u003e\u003cp\u003eFuture work may include further optimization of the CS-Forest model through ensemble strategies and the incorporation of more cost-sensitive techniques to improve detection accuracy. Real-time deployment in dynamic network environments may also be tested to evaluate the performance and scalability of the model. Further evaluation of diverse datasets and integration with other advanced ML approaches may also enhance the robustness and applicability of the model for various intrusion detection scenarios.\u003c/p\u003e"},{"header":"Declarations","content":"\u003cp\u003e\u003ch2\u003eConflicts of Interest:\u003c/h2\u003e\u003cp\u003eThe author declares that they have no conflicts of interest to report regarding the present study.\u003c/p\u003e\u003c/p\u003e\u003ch2\u003eFunding Statement:\u003c/h2\u003e\u003cp\u003eThis research is supported by a grant (No. CRPG-25-3320) under the Cybersecurity Research and Innovation Pioneers Initiative, provided by the National Cybersecurity Authority (NCA) in the Kingdom of Saudi Arabia.\u003c/p\u003e\u003ch2\u003eAuthor Contribution\u003c/h2\u003e\u003cp\u003eThis paper has a single author\u003c/p\u003e\u003ch2\u003eAcknowledgement\u003c/h2\u003e\u003cp\u003eThis research is supported by a grant (No. CRPG-25-3320) under the Cybersecurity Research and Innovation Pioneers Initiative, provided by the National Cybersecurity Authority (NCA) in the Kingdom of Saudi Arabia.\u003c/p\u003e\u003ch2\u003eData Availability\u003c/h2\u003e\u003cp\u003eThe data used in the study were obtained from the Kaggle repository, available online at: https://www.kaggle.com/datasets/hassan06/nslkdd.\u003c/p\u003e"},{"header":"References","content":"\u003col\u003e\u003cli\u003e\u003cspan\u003eAlamin Talukder, M. et al. A Dependable Hybrid Machine Learning Model for Network Intrusion Detection. arXiv e-prints arXiv-2212 (2022).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eAlamin Talukder, M. et al. Machine learning-based network intrusion detection for big and imbalanced data using oversampling, stacking feature embedding and feature extraction. (2024). arXiv e-prints arXiv-2401.\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eAlsaeedi, A. \u0026amp; Khan, M. Z. Software Defect Prediction Using Supervised Machine Learning and Ensemble Techniques: A Comparative Study. 85\u0026ndash;100. (2019). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.4236/jsea.2019.125007\u003c/span\u003e\u003cspan address=\"10.4236/jsea.2019.125007\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eAmor, N., Ben, Benferhat, S. \u0026amp; Elouedi, Z. Naive bayes vs decision trees in intrusion detection systems. In: Proceedings of the 2004 ACM symposium on Applied computing. pp 420\u0026ndash;424 (2004).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eAmru, M. et al. Network intrusion detection system by applying ensemble model for smart home. \u003cem\u003eInt. J. Electr. Comput. Eng.\u003c/em\u003e (2024). (2088\u0026ndash;8708) \u003cb\u003e14\u003c/b\u003e.\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eAndresini, G., Appice, A., De Rose, L. \u0026amp; Malerba, D. GAN augmentation to deal with imbalance in imaging-based intrusion detection. \u003cem\u003eFuture Generation Comput. Syst.\u003c/em\u003e \u003cb\u003e123\u003c/b\u003e, 108\u0026ndash;127 (2021).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eApruzzese, G., Pajola, L. \u0026amp; Conti, M. The cross-evaluation of machine learning-based network intrusion detection systems. \u003cem\u003eIEEE Trans. Netw. Serv. Manage.\u003c/em\u003e \u003cb\u003e19\u003c/b\u003e, 5152\u0026ndash;5169 (2022).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eBalla, A. et al. The effect of dataset imbalance on the performance of scada intrusion detection systems. \u003cem\u003eSensors\u003c/em\u003e \u003cb\u003e23\u003c/b\u003e, 758 (2023).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eBertoli, G. \u0026amp; J\u0026uacute;nior, L. \u0026hellip; OS-I, undefined An end-to-end framework for machine learning-based network intrusion detection system. ieeexplore.ieee.org (2021).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eChaabane, S., Ben, Hijji, M., Harrabi, R. \u0026amp; Seddik, H. Face recognition based on statistical features and SVM classifier. \u003cem\u003eMultimedia Tools Appl.\u003c/em\u003e \u003cb\u003e81\u003c/b\u003e, 8767\u0026ndash;8784 (2022).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eChen, C. et al. An explanatory analysis of driver injury severity in rear-end crashes using a decision table/Na\u0026iuml;ve Bayes (DTNB) hybrid classifier. \u003cem\u003eAccid. Anal. Prev.\u003c/em\u003e \u003cb\u003e90\u003c/b\u003e, 95\u0026ndash;107. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.1016/j.aap.2016.02.002\u003c/span\u003e\u003cspan address=\"10.1016/j.aap.2016.02.002\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e (2016).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eChoudhury, S. \u0026amp; Bhowal, A. Comparative analysis of machine learning algorithms along with classifiers for network intrusion detection. 2015 International Conference on Smart Technologies and Management for Computing, Communication, Controls, Energy and Materials, ICSTM 2015 - Proceedings 89\u0026ndash;95. (2015). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.1109/ICSTM.2015.7225395\u003c/span\u003e\u003cspan address=\"10.1109/ICSTM.2015.7225395\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eDeist, T. M. et al. Machine learning algorithms for outcome prediction in (chemo)radiotherapy: An empirical comparison of classifiers. \u003cem\u003eMed. Phys.\u003c/em\u003e \u003cb\u003e45\u003c/b\u003e, 3449\u0026ndash;3459. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.1002/mp.12967\u003c/span\u003e\u003cspan address=\"10.1002/mp.12967\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e (2018).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eDini, P. \u0026amp; Saponara, S. Analysis, design, and comparison of machine-learning techniques for networking intrusion detection. \u003cem\u003eDesigns\u003c/em\u003e \u003cb\u003e5\u003c/b\u003e, 1\u0026ndash;22. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.3390/designs5010009\u003c/span\u003e\u003cspan address=\"10.3390/designs5010009\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e (2021).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eHoldings, T. \u0026amp; Trustwave Global Security Report.. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://www.trustwave.com/en-us/resources/library/documents/2020-trustwave-global-security-report/\u003c/span\u003e\u003cspan address=\"https://www.trustwave.com/en-us/resources/library/documents/2020-trustwave-global-security-report/\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e. Accessed 14 Jan 2025.\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eIqbal, A. et al. Performance analysis of machine learning techniques on software defect prediction using NASA datasets. \u003cem\u003eInt. J. Adv. Comput. Sci. Appl.\u003c/em\u003e \u003cb\u003e10\u003c/b\u003e, 300\u0026ndash;308. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.14569/ijacsa.2019.0100538\u003c/span\u003e\u003cspan address=\"10.14569/ijacsa.2019.0100538\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e (2019).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eJavaid, A., Niyaz, Q., Sun, W. \u0026amp; Alam, M. A deep learning approach for network intrusion detection system. In: Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS). pp 21\u0026ndash;26 (2016).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eJoraviya, N., Gohil, B. N. \u0026amp; Rao, U. P. Ab-HIDS: An anomaly‐based host intrusion detection system using frequency of N‐gram system call features and ensemble learning for containerized environment. Concurrency and Computation: Practice and Experience 36:e8249 (2024).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eKhan, B. et al. An empirical evaluation of machine learning techniques for chronic kidney disease prophecy. \u003cem\u003eIEEE Access.\u003c/em\u003e \u003cb\u003e8\u003c/b\u003e, 55012\u0026ndash;55022. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.1109/ACCESS.2020.2981689\u003c/span\u003e\u003cspan address=\"10.1109/ACCESS.2020.2981689\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e (2020).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eKhan, B. et al. Software Defect Prediction for Healthcare Big Data: An Empirical Evaluation of Machine Learning Techniques. \u003cem\u003eJ. Healthc. Eng. 2021\u003c/em\u003e. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.1155/2021/8899263\u003c/span\u003e\u003cspan address=\"10.1155/2021/8899263\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e (2021).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eKim, G., Lee, S. \u0026amp; Kim, S. A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. \u003cem\u003eExpert Syst. Appl.\u003c/em\u003e \u003cb\u003e41\u003c/b\u003e, 1690\u0026ndash;1700 (2014).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eKumar, V. \u0026amp; Sinha, D. Synthetic attack data generation model applying generative adversarial network for intrusion detection. \u003cem\u003eComputers Secur.\u003c/em\u003e \u003cb\u003e125\u003c/b\u003e, 103054 (2023).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eLavanya, T. \u0026amp; Rajalakshmi, K. Heterogenous ensemble learning driven multi-parametric assessment model for hardware Trojan detection. \u003cem\u003eIntegration\u003c/em\u003e \u003cb\u003e89\u003c/b\u003e, 217\u0026ndash;228 (2023).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eMehr, S. Y. \u0026amp; Ramamurthy, B. An SVM based DDoS attack detection method for Ryu SDN controller. In: Proceedings of the 15th international conference on emerging networking experiments and technologies. pp 72\u0026ndash;73 (2019).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eNaseem, R. et al. Investigating Tree Family Machine Learning Techniques for a Predictive System to Unveil Software Defects. \u003cem\u003eComplexity\u003c/em\u003e \u003cb\u003e2020\u003c/b\u003e, 1\u0026ndash;21. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.1155/2020/6688075\u003c/span\u003e\u003cspan address=\"10.1155/2020/6688075\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e (2020a).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eNaseem, R. et al. Performance Assessment of Classification Algorithms on Early Detection of Liver Syndrome. \u003cem\u003eJ. Healthc. Eng. 2020\u003c/em\u003e. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.1155/2020/6680002\u003c/span\u003e\u003cspan address=\"10.1155/2020/6680002\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e (2020b).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eNaseem, R. et al. Performance Assessment of Classification Algorithms on Early Detection of Liver Syndrome. \u003cem\u003eJ. Healthc. Eng. 2020\u003c/em\u003e. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.1155/2020/6680002\u003c/span\u003e\u003cspan address=\"10.1155/2020/6680002\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e (2020c).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eRen, J. et al. An multi-level intrusion detection method based on KNN outlier detection and random forests. \u003cem\u003eJ. Comput. Res. Dev.\u003c/em\u003e \u003cb\u003e56\u003c/b\u003e, 566\u0026ndash;575 (2019).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eSatilmiş, H., Akleylek, S. \u0026amp; Tok, Z. Y. A Systematic Literature Review on Host-Based Intrusion Detection Systems. \u003cem\u003eIeee Access.\u003c/em\u003e \u003cb\u003e12\u003c/b\u003e, 27237\u0026ndash;27266 (2024).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eShapoorifard, H. \u0026amp; Shamsinejad, P. Intrusion detection using a novel hybrid method incorporating an improved KNN. \u003cem\u003eInt. J. Comput. Appl.\u003c/em\u003e \u003cb\u003e173\u003c/b\u003e, 5\u0026ndash;9 (2017).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eShone, N., Ngoc, T. N., Phai, V. D. \u0026amp; Shi, Q. A deep learning approach to network intrusion detection. \u003cem\u003eIEEE Trans. Emerg. Top. Comput. Intell.\u003c/em\u003e \u003cb\u003e2\u003c/b\u003e, 41\u0026ndash;50 (2018).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eSiers, M. J. \u0026amp; Islam, M. Z. Cost sensitive decision forest and voting for software defect prediction. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 8862:929\u0026ndash;936. (2014). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.1007/978-3-319-13560-1\u003c/span\u003e\u003cspan address=\"10.1007/978-3-319-13560-1\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eSubasi, A. \u0026amp; Kremic, E. Leveraging AI and machine learning for societal challenges, cas 2019 comparison of adaboost with multiboosting for phishing website detection. \u003cem\u003eProcedia Comput. Sci.\u003c/em\u003e \u003cb\u003e168\u003c/b\u003e, 272\u0026ndash;278. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.1016/j.procs.2020.02.251\u003c/span\u003e\u003cspan address=\"10.1016/j.procs.2020.02.251\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e (2020).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eTalukder, M. A. et al. A dependable hybrid machine learning model for network intrusion detection. \u003cem\u003eJ. Inform. Secur. Appl.\u003c/em\u003e \u003cb\u003e72\u003c/b\u003e, 103405 (2023).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eTalukder, M. A. et al. Machine learning-based network intrusion detection for big and imbalanced data using oversampling, stacking feature embedding and feature extraction. \u003cem\u003eJ. big data\u003c/em\u003e. \u003cb\u003e11\u003c/b\u003e, 33 (2024).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eTao, P., Sun, Z. \u0026amp; Sun, Z. An improved intrusion detection algorithm based on GA and SVM. \u003cem\u003eIeee Access.\u003c/em\u003e \u003cb\u003e6\u003c/b\u003e, 13624\u0026ndash;13631 (2018).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eTorres, P., Catania, C., Garcia, S. \u0026amp; Garino, C. G. An analysis of recurrent neural networks for botnet detection behavior. In: 2016 IEEE biennial congress of Argentina (ARGENCON). IEEE, pp 1\u0026ndash;6 (2016).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eVEERAKUMARAN M V INTRUSION DETECTION SYSTEM. (IDS) IN NETWORKS.\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eWang, W. et al. Malware traffic classification using convolutional neural network for representation learning. In: 2017 International conference on information networking (ICOIN). IEEE, pp 712\u0026ndash;717 (2017).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eWang, Y., An, J. \u0026amp; Huang, W. Using CNN-based representation learning method for malicious traffic identification. In: 2018 IEEE/ACIS 17th International Conference on Computer and Information Science (ICIS). IEEE, pp 400\u0026ndash;404 (2018).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eYang, Y., Gu, Y. \u0026amp; Yan, Y. Machine learning-based intrusion detection for rare-class network attacks. \u003cem\u003eElectronics\u003c/em\u003e \u003cb\u003e12\u003c/b\u003e, 3911 (2023).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eYin, C., Zhu, Y., Fei, J. \u0026amp; He, X. A deep learning approach for intrusion detection using recurrent neural networks. \u003cem\u003eIeee Access.\u003c/em\u003e \u003cb\u003e5\u003c/b\u003e, 21954\u0026ndash;21961 (2017).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eZhang, Y. \u0026amp; Liu, Q. On IoT intrusion detection based on data augmentation for enhancing learning on unbalanced samples. \u003cem\u003eFuture Generation Comput. Syst.\u003c/em\u003e \u003cb\u003e133\u003c/b\u003e, 213\u0026ndash;227 (2022).\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003eZhao, G., Zhang, C. \u0026amp; Zheng, L. Intrusion detection using deep belief network and probabilistic neural network. In: 2017 IEEE international conference on computational science and engineering (CSE) and IEEE international conference on embedded and ubiquitous computing (EUC). IEEE, pp 639\u0026ndash;642 (2017).\u003c/span\u003e\u003c/li\u003e\u003c/ol\u003e"}],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":true,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":true,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":false,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":false,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"Intrusion Detection System (IDS), CS-Forest, Machine Learning, Network Security, Attack Classification","lastPublishedDoi":"10.21203/rs.3.rs-7187958/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-7187958/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eThe growing complexity and number of cyberattacks make it necessary to have sophisticated security mechanisms to defend computer networks. Intrusion Detection Systems (IDS) play a crucial role in observing network traffic and detecting malicious behavior. However, conventional IDS tend to perform poorly in the detection of minority-class attacks like User-to-Root (U2R) and Remote-to-Local (R2L) because datasets like NSL-KDD are class-imbalanced. This imbalance results in high false-positive and false-negative rates, weakening the performance of the IDS. To meet these challenges, this research presents a new Cost-Sensitive Forest (CS-Forest) model that combines cost-sensitive learning and ensemble decision tree approaches. The CS-Forest model gives higher misclassification costs to minority classes to increase the identification of underrepresented attacks. It is tested on the NSL-KDD dataset, where the CS-Forest model achieved 87.41% accuracy, higher than standard classifiers like Average One Dependency Estimator (A1DE), K-Nearest Neighbor (KNN), Na\u0026iuml;ve Bayes (NB), Random Forest (RF), and Support Vector Machine (SVM). The design of the model lowers false positives and negatives very efficiently, showing its strength and effectiveness in strengthening network security by identifying infrequent intrusion attacks more efficiently.\u003c/p\u003e","manuscriptTitle":"Enhancing Network Intrusion Detection Systems through Cost-Sensitive Ensemble Learning with the CS-Forest Approach for Accurate Detection of Minority-Class Attacks","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2025-08-06 12:29:23","doi":"10.21203/rs.3.rs-7187958/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"02f554ac-8634-4c10-b3ea-8992dfd246cc","owner":[],"postedDate":"August 6th, 2025","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[{"id":52639147,"name":"Physical sciences/Engineering"},{"id":52639148,"name":"Physical sciences/Mathematics and computing"}],"tags":[],"updatedAt":"2025-08-19T12:08:42+00:00","versionOfRecord":[],"versionCreatedAt":"2025-08-06 12:29:23","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-7187958","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-7187958","identity":"rs-7187958","version":["v1"]},"buildId":"8U1c8b4HqxoKbykW_rLl7","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}

Text is read by the "Ask this paper" AI Q&A widget below. Extraction quality varies by source — PMC NXML preserves structure cleanly, OA-HTML may include some navigation residue, and OA-PDF can have broken hyphenation. The publisher copy (via DOI) is the canonical version.

My notes (saved in your browser only)

Ask this paper AI returns verbatim quotes from the full text · source: preprint-html

Answers must be backed by verbatim quotes from this paper's full text. Hallucinated quotes are dropped automatically; if no verbatim passage answers the question, we say so. How this works

Citation neighborhood (no data yet)

We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2025) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.

Source provenance

europepmc
last seen: 2026-05-20T01:45:00.602351+00:00