No Access

Predicting Cyberattacks with Destination Port Through Various Input Feature Scenario

Richard Zuech

Florida Atlantic University, Boca Raton, FL 33139, USA

E-mail Address: rzuech@fau.edu

Search for more papers by this author

John Hancock

Florida Atlantic University, Boca Raton, FL 33139, USA

E-mail Address: jhancoc4@fau.edu

Search for more papers by this author

, and

Taghi M. Khoshgoftaar

Florida Atlantic University, Boca Raton, FL 33139, USA

E-mail Address: khoshgof@fau.edu

Corresponding author.

Search for more papers by this author

https://doi.org/10.1142/S0218539322500036Cited by:1 (Source: Crossref)

Abstract

When analyzing cybersecurity datasets with machine learning, researchers commonly need to consider whether or not to include Destination Port as an input feature. We assess the impact of Destination Port as a predictive feature by building predictive models with three different input feature sets and four combinations of web attacks from the CSE-CIC-IDS2018 dataset. First, we use Destination Port as the only (single) input feature to our models. Second, all features (from CSE-CIC-IDS2018) are used without Destination Port to build the models. Third, all features plus (including) Destination Port are used to train and test the models. All three of these feature sets obtain respectable classification results in detecting web attacks with LightGBM and CatBoost classifiers in terms of Area Under the Receiver Operating Characteristic Curve (AUC) scores, with AUC scores exceeding 0.90 for all scenarios. We observe the best classification performance scores when Destination Port is combined with all of the other CSE-CIC-IDS2018 features. Although, classification performance is still respectable when only using Destination Port as the only (single) input feature. Additionally, we validate that Botnet attacks also have respectable AUC with Destination Port as the only input feature to our models. This highlights that practitioners must be mindful of whether or not to include Destination Port as an input feature if it experiences lopsided label distributions as we clearly identify in this study. Our brief survey of existing CSE-CIC-IDS2018 literature also discovered that many studies incorrectly treat Destination Port as a numerical input feature with machine learning models. Destination Port should be treated as a categorical input value to machine learning models, as its values do not represent numerical values which can be used in mathematical equations for the models.

Keywords:

References

1. J. Young, US ecommerce sales grow 14.9% in 2019 (accessed 28 November 2020). Google Scholar
2. R. Wald, F. Villanustre, T. M. Khoshgoftaar, R. Zuech, J. Robinson and E. Muharemagic, Using feature selection and classification to build effective and efficient firewalls, in Proc. 2014 IEEE 15th Int. Conf. Information Reuse and Integration (IRI 2014) (IEEE, 2014), pp. 850–854. Crossref, Google Scholar
3. I. Sharafaldin, A. H. Lashkari and A. A. Ghorbani, Toward generating a new intrusion detection dataset and intrusion traffic characterization, in Proc. 4th Int. Conf. Information Systems Security and Privacy (ICISSP) (SciTePress, 2018), pp. 108–116. Crossref, Google Scholar
4. CICIDS2017 dataset (accessed 28 August 2020). Google Scholar
5. J. L. Leevy and T. M. Khoshgoftaar, A survey and analysis of intrusion detection models based on CSE-CIC-IDS2018 Big Data, J. Big Data 7(1) (2020) 1–19. Crossref, Google Scholar
6. Damn Vulnerable Web App GitHub website (accessed 30 January 2021). Google Scholar
7. Selenium framework website (accessed 30 January 2021). Google Scholar
8. I. Hydara, A. B. M. Sultan, H. Zulzalil and N. Admodisastro, Current state of research on cross-site scripting (XSS) — A systematic literature review, Inf. Softw. Technol. 58 (2015) 170–186. Crossref, Web of Science, Google Scholar
9. W. G. Halfond et al., A classification of SQL-injection attacks and countermeasures, in Proc. IEEE Int. Symp. Secure Software Engineering, Vol. 1 (IEEE, 2006), pp. 13–15. Google Scholar
10. M. Feily, A. Shahrestani and S. Ramadass, A survey of botnet and botnet detection, in 2009 Third Int. Conf. Emerging Security Information, Systems and Technologies (IEEE, 2009), pp. 268–273. Crossref, Google Scholar
11. K. R. Fall and W. R. Stevens, TCP/IP Illustrated, Volume 1: The Protocols (Addison-Wesley, 2011). Google Scholar
12. CSE-CIC-IDS2018 dataset (accessed 28 August 2020). Google Scholar
13. J. Kim, J. Kim, H. Kim, M. Shim and E. Choi, CNN-based network intrusion detection against denial-of-service attacks, Electronics 9(6) (2020) 916. Crossref, Web of Science, Google Scholar
14. Y. Hua, An efficient traffic classification scheme using embedded feature selection and LightGBM, in 2020 Information Communication Technologies Conf. (ICTC) (IEEE, 2020), pp. 125–130. Crossref, Google Scholar
15. J. L. Leevy, J. Hancock, R. Zuech and T. M. Khoshgoftaar, Detecting cybersecurity attacks across different network features and learners, J. Big Data 8(1) (2021) 1–29. Crossref, Google Scholar
16. S. Gamage and J. Samarabandu, Deep learning methods in network intrusion detection: A survey and an objective comparison, J. Netw. Comput. Appl. 169 (2020) 102767. Crossref, Web of Science, Google Scholar
17. G. Karatas, O. Demir and O. K. Sahingoz, Increasing the performance of machine learning-based IDSs on an imbalanced and up-to-date dataset, IEEE Access 8 (2020) 32150–32162. Crossref, Web of Science, Google Scholar
18. K. S. Huancayo Ramos, M. A. Sotelo Monge and J. Maestre Vidal, Benchmark-based reference model for evaluating Botnet detection tools driven by traffic-flow analytics, Sensors 20(16) (2020) 4501. Crossref, Web of Science, Google Scholar
19. H. Zhang, L. Huang, C. Q. Wu and Z. Li, An effective convolutional neural network based on smote and Gaussian mixture model for intrusion detection in imbalanced dataset, Comput. Netw. 177 (2020) 107315. Crossref, Web of Science, Google Scholar
20. S. Arlot et al., A survey of cross-validation procedures for model selection, Stat. Surv. 4 (2010) 40–79. Crossref, Google Scholar
21. R. Kohavi et al., A study of cross-validation and bootstrap for accuracy estimation and model selection, in Int. Joint Conf. Artificial Intelligence (IJCAI), Vol. 14(2), Montreal, Canada, 1995, pp. 1137–1145. Google Scholar
22. I. Amit, J. Matherly, W. Hewlett, Z. Xu, Y. Meshi and Y. Weinberger, Machine learning in cyber-security-problems, challenges and data sets, arXiv:1812.07858. Google Scholar
23. R. Zuech, J. Hancock and T. M. Khoshgoftaar, Investigating rarity in web attacks with ensemble learners, J. Big Data 8(1) (2021) 1–27. Crossref, Google Scholar
24. Scikit-learn website (accessed 30 January 2021). Google Scholar
25. CatBoost home page (accessed 28 August 2020). Google Scholar
26. J. Hancock and T. M. Khoshgoftaar, Medicare fraud detection using CatBoost, in 2020 IEEE 21st Int. Conf. Information Reuse and Integration for Data Science (IRI) (IEEE, 2020), pp. 97–103. Crossref, Google Scholar
27. A. Natekin and A. Knoll, Gradient boosting machines, a tutorial, Front. Neurorobot. 7 (2013) 21. Crossref, Web of Science, Google Scholar
28. J. T. Hancock and T. M. Khoshgoftaar, Gradient boosted decision tree algorithms for Medicare fraud detection, SN Comput. Sci. 2(4) (2021) 1–12. Crossref, Google Scholar
29. J. T. Hancock and T. M. Khoshgoftaar, CatBoost for big data: An interdisciplinary review, J. Big Data 7(1) (2020) 1–45. Crossref, Google Scholar
30. LightGBM GitHub website (accessed 28 August 2020). Google Scholar
31. J. Hancock and T. M. Khoshgoftaar, Leveraging LightGBM for categorical big data, in 2021 IEEE Seventh Int. Conf. Big Data Computing Service and Applications (BigDataService) (IEEE, 2021), pp. 149–154. Crossref, Google Scholar
32. G. Ke, Q. Meng, T. Finley, T. Wang, W. Chen, W. Ma, Q. Ye and T.-Y. Liu, LightGBM: A highly efficient gradient boosting decision tree, in Advances in Neural Information Processing Systems (NIPS), Neural Info Process Sys F (2017), pp. 3146–3154. Google Scholar
33. A. P. Bradley, The use of the area under the ROC curve in the evaluation of machine learning algorithms, Pattern Recognit. 30(7) (1997) 1145–1159. Crossref, Web of Science, Google Scholar
34. V. Bewick, L. Cheek and J. Ball, Statistics review 13: Receiver operating characteristic curves, Crit. Care 8(6) (2004) 1–5. Crossref, Web of Science, Google Scholar
35. N. R. Cook, Use and misuse of the receiver operating characteristic curve in risk prediction, Circulation 115(7) (2007) 928–935. Crossref, Web of Science, Google Scholar