{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,6]],"date-time":"2026-04-06T11:28:52Z","timestamp":1775474932591,"version":"3.50.1"},"reference-count":49,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2025,3,3]],"date-time":"2025-03-03T00:00:00Z","timestamp":1740960000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,3,3]],"date-time":"2025-03-03T00:00:00Z","timestamp":1740960000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100012165","name":"Key Technologies Research and Development Program","doi-asserted-by":"publisher","award":["2021YFB3101903"],"award-info":[{"award-number":["2021YFB3101903"]}],"id":[{"id":"10.13039\/501100012165","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>In practical scenarios, security events triggered by abnormal network traffic often result from the collective behavior of multiple data streams, embodying group security events with collective characteristics. Existing research methods, focusing on individual data streams, lack a macroscopic analysis and struggle with challenges of analyzing massive, imbalanced data sets. To address these challenges, this paper adopts a multi-instance learning approach, mapping multiple data streams into a bag with a coarse-grained approach, where each bag corresponds to a security event label and each data stream represents an instance. We propose a multi-instance network traffic conversion method, Bag2Image, which transforms temporal multi-instance network traffic data into image representations, preserving the spatio-temporal characteristics of instances within the bag through image channels and pixels. This strategy allows the network security event prediction task to be approached as an image classification problem, leveraging advanced image classification techniques for prediction. Our cross-experiments with six advanced multi-instance learning (MIL) algorithms and six different classification models demonstrate the superior performance of our method on both the UNSW-NB15 dataset and a private dataset. Specifically, our method achieved the highest F1 scores of 77.9% and 74.4% on these datasets, respectively, representing improvements of 4.1% and 13.5% over the second-best MIL algorithm. The recall rates also saw increases of 4.1% and 13.2%, respectively.<\/jats:p>","DOI":"10.1186\/s42400-024-00292-y","type":"journal-article","created":{"date-parts":[[2025,3,3]],"date-time":"2025-03-03T00:02:08Z","timestamp":1740960128000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["Bag2image: a multi-instance network traffic representation for network security event prediction"],"prefix":"10.1186","volume":"8","author":[{"given":"Jiachen","family":"Zhang","sequence":"first","affiliation":[]},{"given":"Daoqi","family":"Han","sequence":"additional","affiliation":[]},{"given":"Zhaoxuan","family":"Lv","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3196-0349","authenticated-orcid":false,"given":"Yueming","family":"Lu","sequence":"additional","affiliation":[]},{"given":"Junke","family":"Duan","sequence":"additional","affiliation":[]},{"given":"Yang","family":"Liu","sequence":"additional","affiliation":[]},{"given":"Xinyu","family":"Zhang","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,3,3]]},"reference":[{"key":"292_CR1","doi-asserted-by":"publisher","first-page":"99166","DOI":"10.1109\/ACCESS.2021.3094183","volume":"9","author":"A Alharbi","year":"2021","unstructured":"Alharbi A, Alsubhi K (2021) Botnet detection approach using graph-based machine learning. IEEE Access 9:99166\u201399180","journal-title":"IEEE Access"},{"key":"292_CR2","doi-asserted-by":"crossref","unstructured":"Alkasassbeh M, Al-Naymat G, Hassanat AB, Almseidin M (2016) Detecting distributed denial of service attacks using data mining techniques. Int J Adv Comput Sci Appl 7(1)","DOI":"10.14569\/IJACSA.2016.070159"},{"key":"292_CR3","doi-asserted-by":"crossref","unstructured":"Bagci\u00a0Das D, Birant D (2023) Human activity recognition based on multi-instance learning. Expert Syst 13256","DOI":"10.1111\/exsy.13256"},{"key":"292_CR4","doi-asserted-by":"publisher","first-page":"2383","DOI":"10.1007\/s11227-020-03323-w","volume":"77","author":"A Banitalebi Dehkordi","year":"2021","unstructured":"Banitalebi Dehkordi A, Soltanaghaei M, Boroujeni FZ (2021) The ddos attacks detection through machine learning and statistical methods in sdn. J Supercomput 77:2383\u20132415","journal-title":"J Supercomput"},{"key":"292_CR5","doi-asserted-by":"publisher","first-page":"24","DOI":"10.1016\/j.isprsjprs.2016.01.011","volume":"114","author":"M Belgiu","year":"2016","unstructured":"Belgiu M, Dr\u0103gu\u0163 L (2016) Random forest in remote sensing: a review of applications and future directions. ISPRS J Photogramm Remote Sens 114:24\u201331","journal-title":"ISPRS J Photogramm Remote Sens"},{"key":"292_CR6","doi-asserted-by":"crossref","unstructured":"Bilge L, Han Y, Dell\u2019Amico M (2017) Riskteller: Predicting the risk of cyber incidents. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pp 1299\u20131311","DOI":"10.1145\/3133956.3134022"},{"key":"292_CR7","doi-asserted-by":"crossref","unstructured":"Borgolte K, Kruegel C, Vigna G (2013) Delta: automatic identification of unknown web-based infection campaigns. In: Proceedings of the 2013 ACM SIGSAC Conference on computer & communications security, pp 109\u2013120","DOI":"10.1145\/2508859.2516725"},{"issue":"01","key":"292_CR8","doi-asserted-by":"publisher","first-page":"20","DOI":"10.38094\/jastt20165","volume":"2","author":"B Charbuty","year":"2021","unstructured":"Charbuty B, Abdulazeez A (2021) Classification based on decision tree algorithm for machine learning. J Appl Sci Technol Trends 2(01):20\u201328","journal-title":"J Appl Sci Technol Trends"},{"issue":"1","key":"292_CR9","doi-asserted-by":"publisher","first-page":"503","DOI":"10.1093\/bib\/bbab503","volume":"23","author":"Z Chen","year":"2022","unstructured":"Chen Z, Jiang Y, Zhang X, Zheng R, Qiu R, Sun Y, Zhao C, Shang H (2022) Resnet18dnn: prediction approach of drug-induced liver injury by deep neural network with resnet18. Brief Bioinform 23(1):503","journal-title":"Brief Bioinform"},{"key":"292_CR10","doi-asserted-by":"crossref","unstructured":"Chen T, Guestrin C (2016) Xgboost: a scalable tree boosting system. In: Proceedings of the 22nd ACM Sigkdd international conference on knowledge discovery and data mining, pp 785\u2013794","DOI":"10.1145\/2939672.2939785"},{"key":"292_CR11","doi-asserted-by":"crossref","unstructured":"Fan S, Wu S, Wang Z, Li Z, Yang J, Liu H, Liu X (2019) Aleap: attention-based lstm with event embedding for attack projection. In: 2019 IEEE 38th international performance computing and communications conference (IPCCC). IEEE, pp 1\u20138","DOI":"10.1109\/IPCCC47392.2019.8958761"},{"key":"292_CR12","unstructured":"Grandini M, Bagli E, Visani G (2020) Metrics for multi-class classification: an overview. arXiv preprint arXiv:2008.05756"},{"key":"292_CR13","unstructured":"Gulmezoglu B, Moghimi A, Eisenbarth T, Sunar B (2019) Fortuneteller: predicting microarchitectural attacks via unsupervised deep learning. arXiv preprint arXiv:1907.03651"},{"key":"292_CR14","doi-asserted-by":"crossref","unstructured":"He K, Zhang X, Ren S, Sun J (2016) Deep residual learning for image recognition. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 770\u2013778","DOI":"10.1109\/CVPR.2016.90"},{"key":"292_CR15","doi-asserted-by":"crossref","unstructured":"Jiang X, Zhang H-R, Zhou Y (2023) Multi-granularity abnormal traffic detection based on multi-instance learning. IEEE Trans Netw Service Manag","DOI":"10.1109\/TNSM.2023.3322152"},{"key":"292_CR16","doi-asserted-by":"crossref","unstructured":"Koonce B, Koonce B (2021) Resnet 50. Convolutional neural networks with swift for Tensorflow: image recognition and dataset categorization, pp 63\u201372","DOI":"10.1007\/978-1-4842-6168-2_6"},{"key":"292_CR17","doi-asserted-by":"publisher","first-page":"559","DOI":"10.1016\/j.ins.2018.08.020","volume":"467","author":"E\u015e K\u00fc\u00e7\u00fcka\u015fc\u0131","year":"2018","unstructured":"K\u00fc\u00e7\u00fcka\u015fc\u0131 E\u015e, Baydo\u011fan MG (2018) Bag encoding strategies in multiple instance learning problems. Inf Sci 467:559\u2013578","journal-title":"Inf Sci"},{"key":"292_CR18","unstructured":"Kulkarni AM (2021) Predicting security events using attention neural network. Ph.D. thesis, California State University, Sacramento"},{"key":"292_CR19","unstructured":"Kumar BH, Shivani M, Student\u00a0IV E, Vaishnavi R (2023) Machine learning techniques to detect cyber attacks on web applications. Mach Learn 52(6)"},{"key":"292_CR20","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102693","volume":"117","author":"A Kumar","year":"2022","unstructured":"Kumar A, Shridhar M, Swaminathan S, Lim TJ (2022) Machine learning-based early detection of iot botnets using network-edge traffic. Comput Secur 117:102693","journal-title":"Comput Secur"},{"key":"292_CR21","doi-asserted-by":"crossref","unstructured":"Li Z, Liu J, Wang J, Liu J, Yan T, An D, Zhou C, Wang Z (2022) Malicious traffic detection with class imbalanced data based on coarse-grained labels. In: International Symposium on Grids & Clouds 2022, p. 30","DOI":"10.22323\/1.415.0030"},{"issue":"4","key":"292_CR22","doi-asserted-by":"publisher","first-page":"579","DOI":"10.1016\/S1389-1286(00)00139-0","volume":"34","author":"R Lippmann","year":"2000","unstructured":"Lippmann R, Haines JW, Fried DJ, Korba J, Das K (2000) The 1999 darpa off-line intrusion detection evaluation. Comput Netw 34(4):579\u2013595","journal-title":"Comput Netw"},{"issue":"9","key":"292_CR23","doi-asserted-by":"publisher","first-page":"2013","DOI":"10.1109\/TIFS.2016.2570740","volume":"11","author":"Y Liu","year":"2016","unstructured":"Liu Y, Dong M, Ota K, Liu A (2016) Activetrust: secure and trustable routing in wireless sensor networks. IEEE Trans Inf Forensics Secur 11(9):2013\u20132027","journal-title":"IEEE Trans Inf Forensics Secur"},{"key":"292_CR24","doi-asserted-by":"crossref","unstructured":"Liu J, Li Z, Wang J, Yan T, An D, Zhou C, Chen G (2022) A weakly-supervised method for encrypted malicious traffic detection. In: international symposium on grids & clouds 2022, p 27","DOI":"10.22323\/1.415.0027"},{"key":"292_CR25","unstructured":"Liu Y, Sarabi A, Zhang J, Naghizadeh P, Karir M, Bailey M, Liu M (2015) Cloudy with a chance of breach: forecasting cyber security incidents. In: 24th USENIX security symposium (USENIX Security 15), pp 1009\u20131024"},{"key":"292_CR26","doi-asserted-by":"crossref","unstructured":"Marcel S, Rodriguez Y (2010) Torchvision the machine-vision package of torch. In: Proceedings of the 18th ACM international conference on multimedia, pp 1485\u20131488","DOI":"10.1145\/1873951.1874254"},{"issue":"4","key":"292_CR27","doi-asserted-by":"publisher","first-page":"481","DOI":"10.1109\/TBDATA.2017.2715166","volume":"5","author":"N Moustafa","year":"2017","unstructured":"Moustafa N, Slay J, Creech G (2017) Novel geometric area analysis technique for anomaly detection using trapezoidal area estimation on large-scale networks. IEEE Trans Big Data 5(4):481\u2013494","journal-title":"IEEE Trans Big Data"},{"key":"292_CR28","doi-asserted-by":"crossref","unstructured":"Naseri M, Han Y, Mariconti E, Shen Y, Stringhini G, De\u00a0Cristofaro E (2022) Cerberus: exploring federated prediction of security events. In: Proceedings of the 2022 ACM SIGSAC conference on computer and communications security, pp 2337\u20132351","DOI":"10.1145\/3548606.3560580"},{"key":"292_CR29","doi-asserted-by":"crossref","unstructured":"Pande S, Khamparia A, Gupta D, Thanh DN (2021) Ddos detection using machine learning technique. In: Recent studies on computational intelligence: doctoral symposium on computational intelligence (DoSCI 2020). Springer, pp 59\u201368","DOI":"10.1007\/978-981-15-8469-5_5"},{"key":"292_CR30","unstructured":"Paszke A, Gross S, Massa F, Lerer A, Bradbury J, Chanan G, Killeen T, Lin Z, Gimelshein N, Antiga L, et al (2019) Pytorch: An imperative style, high-performance deep learning library. Adv Neural Inf Process Syst 32"},{"key":"292_CR31","first-page":"2825","volume":"12","author":"F Pedregosa","year":"2011","unstructured":"Pedregosa F, Varoquaux G, Gramfort A, Michel V, Thirion B, Grisel O, Blondel M, Prettenhofer P, Weiss R, Dubourg V (2011) Scikit-learn: machine learning in python. J Mach Learn Res 12:2825\u20132830","journal-title":"J Mach Learn Res"},{"key":"292_CR32","doi-asserted-by":"publisher","first-page":"156","DOI":"10.1016\/j.cose.2018.12.012","volume":"82","author":"M Ring","year":"2019","unstructured":"Ring M, Schl\u00f6r D, Landes D, Hotho A (2019) Flow-based network traffic generation using generative adversarial networks. Comput Secur 82:156\u2013172","journal-title":"Comput Secur"},{"key":"292_CR33","doi-asserted-by":"publisher","first-page":"84","DOI":"10.1016\/j.ins.2021.05.076","volume":"574","author":"Z Shao","year":"2021","unstructured":"Shao Z, Yuan S, Wang Y (2021) Adaptive online learning for iot botnet detection. Inf Sci 574:84\u201395","journal-title":"Inf Sci"},{"key":"292_CR34","doi-asserted-by":"crossref","unstructured":"Shen Y, Mariconti E, Vervier PA, Stringhini G (2018) Tiresias: Predicting security events through deep learning. In: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pp 592\u2013605","DOI":"10.1145\/3243734.3243811"},{"issue":"16","key":"292_CR35","doi-asserted-by":"publisher","first-page":"1879","DOI":"10.3390\/electronics10161879","volume":"10","author":"ZA Siddiqui","year":"2021","unstructured":"Siddiqui ZA, Park U (2021) Progressive convolutional neural network for incremental learning. Electronics 10(16):1879","journal-title":"Electronics"},{"key":"292_CR36","doi-asserted-by":"crossref","unstructured":"Singh V, Dutta K (2018) Predicting security events in cloud computing","DOI":"10.4018\/978-1-5225-5634-3.ch050"},{"key":"292_CR37","unstructured":"Soska K, Christin N (2014) Automatically detecting vulnerable websites before they turn malicious. In: 23rd USENIX security symposium (USENIX Security 14), pp 625\u2013640"},{"key":"292_CR38","doi-asserted-by":"publisher","first-page":"346","DOI":"10.1016\/j.eswa.2017.10.036","volume":"93","author":"J Stiborek","year":"2018","unstructured":"Stiborek J, Pevn\u1ef3 T, Reh\u00e1k M (2018) Multiple instance learning for malware classification. Expert Syst Appl 93:346\u2013357","journal-title":"Expert Syst Appl"},{"issue":"2","key":"292_CR39","doi-asserted-by":"publisher","first-page":"1744","DOI":"10.1109\/COMST.2018.2885561","volume":"21","author":"N Sun","year":"2018","unstructured":"Sun N, Zhang J, Rimba P, Gao S, Zhang LY, Xiang Y (2018) Data-driven cybersecurity incident prediction: a survey. IEEE Commun Surv Tutor 21(2):1744\u20131772","journal-title":"IEEE Commun Surv Tutor"},{"key":"292_CR40","doi-asserted-by":"crossref","unstructured":"Taud H, Mas J (2018) Multilayer perceptron (mlp). Geomatic approaches for modeling land change scenarios, pp 451\u2013455","DOI":"10.1007\/978-3-319-60801-3_27"},{"key":"292_CR41","doi-asserted-by":"crossref","unstructured":"Tavallaee M, Bagheri E, Lu W, Ghorbani AA (2009) A detailed analysis of the kdd cup 99 data set. In: 2009 IEEE symposium on computational intelligence for security and defense applications. IEEE, pp 1\u20136","DOI":"10.1109\/CISDA.2009.5356528"},{"key":"292_CR42","doi-asserted-by":"publisher","first-page":"578","DOI":"10.1016\/j.ins.2019.07.071","volume":"504","author":"X Wang","year":"2019","unstructured":"Wang X, Yan Y, Tang P, Liu W, Guo X (2019) Bag similarity network for deep multi-instance learning. Inf Sci 504:578\u2013588","journal-title":"Inf Sci"},{"key":"292_CR43","unstructured":"Wang Z, Oates T (2015) Encoding time series as images for visual inspection and classification using tiled convolutional neural networks. In: Workshops at the twenty-ninth AAAI conference on artificial intelligence, vol 1. AAAI Menlo Park, CA, USA"},{"issue":"4","key":"292_CR44","doi-asserted-by":"publisher","first-page":"975","DOI":"10.1109\/TNNLS.2016.2519102","volume":"28","author":"X-S Wei","year":"2016","unstructured":"Wei X-S, Wu J, Zhou Z-H (2016) Scalable algorithms for multi-instance learning. IEEE Trans Neural Netw Learn Syst 28(4):975\u2013987","journal-title":"IEEE Trans Neural Netw Learn Syst"},{"key":"292_CR45","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102696","volume":"117","author":"S Wu","year":"2022","unstructured":"Wu S, Wang B, Wang Z, Fan S, Yang J, Li J (2022) Joint prediction on security event and time interval through deep learning. Comput Secur 117:102696","journal-title":"Comput Secur"},{"key":"292_CR46","doi-asserted-by":"crossref","unstructured":"Yang M, Zeng W-X, Min F (2022) Multi-instance embedding learning through high-level instance selection. In: Pacific-Asia conference on knowledge discovery and data mining. Springer, pp 122\u2013133","DOI":"10.1007\/978-3-031-05936-0_10"},{"key":"292_CR47","doi-asserted-by":"crossref","unstructured":"Zhang T, Xu C, Lian Y, Tian H, Kang J, Kuang X, Niyato D (2023) When moving target defense meets attack prediction in digital twins: a convolutional and hierarchical reinforcement learning approach. IEEE J Select Areas Commun","DOI":"10.1109\/JSAC.2023.3310072"},{"key":"292_CR48","doi-asserted-by":"crossref","unstructured":"Zhou Z-H, Zhang M-L (2003) Ensembles of multi-instance learners. In: European conference on machine learning. Springer, pp 492\u2013502","DOI":"10.1007\/978-3-540-39857-8_44"},{"issue":"1","key":"292_CR49","doi-asserted-by":"publisher","first-page":"2291","DOI":"10.1016\/j.artint.2011.10.002","volume":"176","author":"Z-H Zhou","year":"2012","unstructured":"Zhou Z-H, Zhang M-L, Huang S-J, Li Y-F (2012) Multi-instance multi-label learning. Artif Intell 176(1):2291\u20132320","journal-title":"Artif Intell"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-024-00292-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-024-00292-y\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-024-00292-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,3,3]],"date-time":"2025-03-03T00:02:23Z","timestamp":1740960143000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-024-00292-y"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,3,3]]},"references-count":49,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2025,12]]}},"alternative-id":["292"],"URL":"https:\/\/doi.org\/10.1186\/s42400-024-00292-y","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,3,3]]},"assertion":[{"value":"7 May 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"11 September 2024","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"3 March 2025","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper. The authors declare the following financial interests\/personal relationships which may be considered as potential conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"31"}}