{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,11]],"date-time":"2026-04-11T05:32:59Z","timestamp":1775885579739,"version":"3.50.1"},"reference-count":27,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2022,7,5]],"date-time":"2022-07-05T00:00:00Z","timestamp":1656979200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,7,5]],"date-time":"2022-07-05T00:00:00Z","timestamp":1656979200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Complex Intell. Syst."],"published-print":{"date-parts":[[2023,8]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Machine learning has become the standard solution to problems in many areas, such as image recognition, natural language processing, and spam detection. In the area of network intrusion detection, machine learning techniques have also been successfully used to detect anomalies in network traffic. However, there is less tolerance in the network intrusion detection domain in terms of errors, especially false positives. In this paper, we define strict acceptance criteria, and show that only very few ensemble learning classifiers are able to meet them in detecting low footprint network intrusions. We compare bagging, boosting, and stacking techniques, and show how methods such as multi-layer stacking can outperform other ensemble techniques and non-ensemble models in detecting such intrusions. We show how different variations on a stacking ensemble model can play a significant role on the classification performance. Malicious examples in our dataset are from the network intrusions that exfiltrate data from a target machine. The benign examples are captured by network taps in geographically different locations on a big corporate network. Among hundreds of ensemble models based on seven different base learners, only three multi-layer stacking models meet the strict acceptance criteria, and achieve an F1 score of 0.99, and a false-positive rate of 0.001. Furthermore, we show that our ensemble models outperform different deep neural network models in classifying low footprint network intrusions.<\/jats:p>","DOI":"10.1007\/s40747-022-00809-3","type":"journal-article","created":{"date-parts":[[2022,7,5]],"date-time":"2022-07-05T05:02:33Z","timestamp":1656997353000},"page":"3787-3799","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":46,"title":["Multi-layer stacking ensemble learners for low footprint network intrusion detection"],"prefix":"10.1007","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-8069-0918","authenticated-orcid":false,"given":"Saeed","family":"Shafieian","sequence":"first","affiliation":[]},{"given":"Mohammad","family":"Zulkernine","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,7,5]]},"reference":[{"key":"809_CR1","doi-asserted-by":"crossref","unstructured":"Sommer R, Paxson V (2010) Outside the closed world: On using machine learning for network intrusion detection. In: IEEE symposium on security and privacy. IEEE 2010, p. 305\u2013316","DOI":"10.1109\/SP.2010.25"},{"issue":"1","key":"809_CR2","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1023\/A:1010933404324","volume":"45","author":"L Breiman","year":"2001","unstructured":"Breiman L (2001) Random forests. Mach Learn 45(1):5\u201332","journal-title":"Mach Learn"},{"key":"809_CR3","doi-asserted-by":"crossref","unstructured":"Chen T, Guestrin C (2016) Xgboost: A scalable tree boosting system. In: Proceedings of the 22nd acm sigkdd international conference on knowledge discovery and data mining, p. 785\u2013794","DOI":"10.1145\/2939672.2939785"},{"key":"809_CR4","unstructured":"Archive UK (1999) Kdd cup 1999 dataset. http:\/\/kdd.ics.uci.edu\/databases\/kddcup99\/kddcup99.html. Accessed 19 February 2020"},{"key":"809_CR5","unstructured":"Tavallaee WLM, Bagheri E, Ghorbani A (2009) Nsl-kdd dataset. https:\/\/www.unb.ca\/cic\/datasets\/nsl.html. Accessed 30 March 2021"},{"key":"809_CR6","doi-asserted-by":"crossref","unstructured":"Young S, Abdou T, Bener A (2018) Deep super learner: A deep ensemble for classification problems. In: Canadian Conference on Artificial Intelligence. Springer, p. 84\u201395","DOI":"10.1007\/978-3-319-89656-4_7"},{"key":"809_CR7","first-page":"2825","volume":"12","author":"F Pedregosa","year":"2011","unstructured":"Pedregosa F, Varoquaux G, Gramfort A, Michel V, Thirion B, Grisel O, Blondel M, Prettenhofer P, Weiss R, Dubourg V, Vanderplas J, Passos A, Cournapeau D, Brucher M, Perrot M, Duchesnay E (2011) Scikit-learn: machine learning in Python. J Mach Learn Res 12:2825\u20132830","journal-title":"J Mach Learn Res"},{"key":"809_CR8","doi-asserted-by":"publisher","first-page":"135","DOI":"10.1016\/j.cose.2016.11.004","volume":"65","author":"AA Aburomman","year":"2017","unstructured":"Aburomman AA, Reaz MBI (2017) A survey of intrusion detection systems based on ensemble and hybrid classifiers. Comput Secur 65:135\u2013152","journal-title":"Comput Secur"},{"key":"809_CR9","doi-asserted-by":"crossref","unstructured":"Vanerio J, Casas P (2017) Ensemble-learning approaches for network security and anomaly detection. In: Proceedings of the Workshop on Big Data Analytics and Machine Learning for Data Communication Networks, p. 1\u20136","DOI":"10.1145\/3098593.3098594"},{"key":"809_CR10","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.jnca.2016.03.011","volume":"66","author":"G Folino","year":"2016","unstructured":"Folino G, Sabatino P (2016) Ensemble based collaborative and distributed intrusion detection systems: a survey. J Netw Comput Appl 66:1\u201316","journal-title":"J Netw Comput Appl"},{"key":"809_CR11","doi-asserted-by":"crossref","unstructured":"Syarif I, Zaluska E, Prugel-Bennett A, Wills G (2012) Application of bagging, boosting and stacking to intrusion detection. In: International Workshop on Machine Learning and Data Mining in Pattern Recognition. Springer, p. 593\u2013602","DOI":"10.1007\/978-3-642-31537-4_46"},{"key":"809_CR12","doi-asserted-by":"publisher","first-page":"53","DOI":"10.1016\/j.cose.2019.05.022","volume":"86","author":"J Gu","year":"2019","unstructured":"Gu J, Wang L, Wang H, Wang S (2019) A novel approach to intrusion detection using svm ensemble with feature augmentation. Comput Secur 86:53\u201362","journal-title":"Comput Secur"},{"key":"809_CR13","doi-asserted-by":"crossref","unstructured":"Shafieian S, Zulkernine M, Haque A (2015) Cloudzombie: Launching and detecting slow-read distributed denial of service attacks from the cloud. In: 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing. IEEE, p. 1733\u20131740","DOI":"10.1109\/CIT\/IUCC\/DASC\/PICOM.2015.261"},{"key":"809_CR14","doi-asserted-by":"crossref","unstructured":"Shafieian S, Smith D, Zulkernine M (2017) Detecting dns tunneling using ensemble learning. In: International Conference on Network and System Security. Springer, p. 112\u2013127","DOI":"10.1007\/978-3-319-64701-2_9"},{"key":"809_CR15","doi-asserted-by":"publisher","first-page":"82 512","DOI":"10.1109\/ACCESS.2019.2923640","volume":"7","author":"X Gao","year":"2019","unstructured":"Gao X, Shan C, Hu C, Niu Z, Liu Z (2019) An adaptive ensemble machine learning model for intrusion detection. IEEE Access 7:82 512-82 521","journal-title":"IEEE Access"},{"key":"809_CR16","doi-asserted-by":"crossref","unstructured":"Hsu Y-F, He Z, Tarutani Y, Matsuoka M (2019) Toward an online network intrusion detection system based on ensemble learning. In: 2019 IEEE 12th International Conference on Cloud Computing (CLOUD). IEEE, p. 174\u2013178","DOI":"10.1109\/CLOUD.2019.00037"},{"key":"809_CR17","doi-asserted-by":"crossref","unstructured":"Moustafa N, Slay J (2015) Unsw-nb15: a comprehensive data set for network intrusion detection systems (unsw-nb15 network data set). In Military Communications and Information Systems Conference (MilCIS) 2015, p. 1\u20136","DOI":"10.1109\/MilCIS.2015.7348942"},{"key":"809_CR18","doi-asserted-by":"crossref","unstructured":"Zhong Y, Chen W, Wang Z, Chen Y, Wang K, Li Y, Yin X, Shi X, Yang J, Li K (2020) Helad: a novel network anomaly detection model based on heterogeneous ensemble learning. Comput Netw 169:107049","DOI":"10.1016\/j.comnet.2019.107049"},{"key":"809_CR19","unstructured":"Mawilab dataset. http:\/\/www.fukuda-lab.org\/mawilab\/index.html. Accessed 6 April 2021"},{"key":"809_CR20","unstructured":"Cic-ids2017 dataset. https:\/\/www.unb.ca\/cic\/datasets\/ids-2017.html. Accessed 6 April 2021"},{"key":"809_CR21","doi-asserted-by":"crossref","unstructured":"Mirsky Y, Doitshman T, Elovici Y, Shabtai A (2018) Kitsune: An ensemble of autoencoders for online network intrusion detection. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18\u201321, 2018","DOI":"10.14722\/ndss.2018.23204"},{"key":"809_CR22","doi-asserted-by":"crossref","unstructured":"Tama BA, Comuzzi M, Rhee K-H (2019) Tse-ids: A two-stage classifier ensemble for intelligent anomaly-based intrusion detection system. IEEE Access 7:94 497\u201394 507","DOI":"10.1109\/ACCESS.2019.2928048"},{"key":"809_CR23","doi-asserted-by":"crossref","unstructured":"Mirza AH (2018) Computer network intrusion detection using various classifiers and ensemble learning. In: 26th Signal Processing and Communications Applications Conference (SIU). IEEE 2018:1\u20134","DOI":"10.1109\/SIU.2018.8404704"},{"key":"809_CR24","unstructured":"One-hot encoding. https:\/\/en.wikipedia.org\/wiki\/One-hot. Accessed 30 April 2021"},{"key":"809_CR25","unstructured":"Pearson correlation coefficient. https:\/\/en.wikipedia.org\/wiki\/Pearson_product-moment_correlation_coefficient. Accessed 4 February 2019"},{"issue":"1","key":"809_CR26","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/s10994-006-6226-1","volume":"63","author":"P Geurts","year":"2006","unstructured":"Geurts P, Ernst D, Wehenkel L (2006) Extremely randomized trees. Mach Learn 63(1):3\u201342","journal-title":"Mach Learn"},{"key":"809_CR27","unstructured":"Pytorch machine learning framework. https:\/\/pytorch.org. Accessed 7 May 2022"}],"container-title":["Complex &amp; Intelligent Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s40747-022-00809-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s40747-022-00809-3\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s40747-022-00809-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,7,27]],"date-time":"2023-07-27T13:14:02Z","timestamp":1690463642000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s40747-022-00809-3"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,7,5]]},"references-count":27,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2023,8]]}},"alternative-id":["809"],"URL":"https:\/\/doi.org\/10.1007\/s40747-022-00809-3","relation":{},"ISSN":["2199-4536","2198-6053"],"issn-type":[{"value":"2199-4536","type":"print"},{"value":"2198-6053","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,7,5]]},"assertion":[{"value":"15 July 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"16 June 2022","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"5 July 2022","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"On behalf of all authors, the corresponding author states that there is no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflicts of interest"}}]}}