{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T10:44:27Z","timestamp":1776077067846,"version":"3.50.1"},"reference-count":39,"publisher":"MDPI AG","issue":"16","license":[{"start":{"date-parts":[[2022,8,17]],"date-time":"2022-08-17T00:00:00Z","timestamp":1660694400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"The past few years have witnessed a substantial increase in cyberattacks on Internet of Things (IoT) devices and their networks. Such attacks pose a significant threat to organizational security and user privacy. Utilizing Machine Learning (ML) in Intrusion Detection Systems (NIDS) has proven advantageous in countering novel zero-day attacks. However, the performance of such systems relies on several factors, one of which is prediction time. Processing speed in anomaly-based NIDS depends on a few elements, including the number of features fed to the ML model. NetFlow, a networking industry-standard protocol, offers many features that can be used to predict malicious attacks accurately. This paper examines NetFlow features and assesses their suitability in classifying network traffic. Our paper presents a model that detects attacks with (98\u2013100%) accuracy using as few as 13 features. This study was conducted using a large dataset of over 16 million records released in 2021.<\/jats:p>","DOI":"10.3390\/s22166164","type":"journal-article","created":{"date-parts":[[2022,8,17]],"date-time":"2022-08-17T22:53:30Z","timestamp":1660776810000},"page":"6164","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":37,"title":["Examining the Suitability of NetFlow Features in Detecting IoT Network Intrusions"],"prefix":"10.3390","volume":"22","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4698-133X","authenticated-orcid":false,"given":"Mohammed","family":"Awad","sequence":"first","affiliation":[{"name":"Department of Computer Science and Engineering, American University of Ras Al Khaimah, Ras Al Khaimah P.O. Box 72603, United Arab Emirates"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1025-7868","authenticated-orcid":false,"given":"Salam","family":"Fraihat","sequence":"additional","affiliation":[{"name":"Artificial Intelligence Research Center (AIRC), College of Engineering and Information Technology, Ajman University, Ajman P.O. Box 346, United Arab Emirates"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Khouloud","family":"Salameh","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Engineering, American University of Ras Al Khaimah, Ras Al Khaimah P.O. Box 72603, United Arab Emirates"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Aneesa","family":"Al Redhaei","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Engineering, American University of Ras Al Khaimah, Ras Al Khaimah P.O. Box 72603, United Arab Emirates"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2022,8,17]]},"reference":[{"key":"ref_1","first-page":"1","article-title":"The internet of things: An overview","volume":"80","author":"Rose","year":"2015","journal-title":"Internet Soc. (ISOC)"},{"key":"ref_2","unstructured":"(2022, May 05). The Growth in Connected IoT Devices is Expected to Generate 79.4ZB of Data in 2025, According to a New IDC Forecast. Available online: https:\/\/www.businesswire.com\/news\/home\/20190618005012\/en\/The-Growth-in-Connected-IoT-Devices-is-Expected-to-Generate-79.4ZB-of-Data-in-2025-According-to-a-New-IDC-Forecast."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"381","DOI":"10.1007\/s12626-021-00086-5","article-title":"Epistemological equation for analysing uncontrollable states in complex systems: Quantifying cyber risks from the internet of things","volume":"15","author":"Radanliev","year":"2021","journal-title":"Rev. Socionetwork Strateg."},{"key":"ref_4","unstructured":"(2022, March 02). 3 Steps: Cyber Breach Recovery Plan to Minimize Loss of Sales\u2014Based on Verkada Breach. Available online: https:\/\/firedome.io\/blog\/cyber-breach-recovery-plan-based-on-verkada-breach."},{"key":"ref_5","unstructured":"(2022, May 02). Top Cyber Attacks on IoT Devices in 2021. Available online: https:\/\/firedome.io\/blog\/top-cyber-attacks-on-iot-devices-in-2021\/."},{"key":"ref_6","unstructured":"Lau, F., Rubin, S.H., Smith, M.H., and Trajkovic, L. (2000, January 8\u201311). Distributed denial of service attacks. Proceedings of the Smc 2000 Conference Proceedings, 2000 IEEE International Conference on Systems, Man and Cybernetics.\u2019Cybernetics Evolving to Systems, Humans, Organizations, and Their Complex Interactions\u2019 (Cat. No. 0), Nashville, TN, USA."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"2027","DOI":"10.1109\/COMST.2016.2548426","article-title":"A survey of man in the middle attacks","volume":"18","author":"Conti","year":"2016","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Kumar, S., Singh, S., and Kumar, J. (2017, January 5\u20136). A comparative study on face spoofing attacks. Proceedings of the 2017 International Conference on Computing, Communication and Automation (ICCCA), Greater Noida, India.","DOI":"10.1109\/CCAA.2017.8229961"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"179","DOI":"10.1145\/2103621.2103678","article-title":"Defining code-injection attacks","volume":"47","author":"Ray","year":"2012","journal-title":"Acm Sigplan Not."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"26","DOI":"10.1109\/65.283931","article-title":"Network intrusion detection","volume":"8","author":"Mukherjee","year":"1994","journal-title":"IEEE Netw."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Mag\u00e1n-Carri\u00f3n, R., Urda, D., D\u00edaz-Cano, I., and Dorronsoro, B. (2020). Towards a reliable comparison and evaluation of network intrusion detection systems based on machine learning approaches. Appl. Sci., 10.","DOI":"10.3390\/app10051775"},{"key":"ref_12","unstructured":"Wu, H., Schwab, S., and Peckham, R.L. (2008). Signature Based Network Intrusion Detection System and Method. (7,424,744), U.S. Patent."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1016\/j.cose.2008.08.003","article-title":"Anomaly-based network intrusion detection: Techniques, systems and challenges","volume":"28","year":"2009","journal-title":"Comput. Secur."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"357","DOI":"10.1007\/s11036-021-01843-0","article-title":"Towards a standard feature set for network intrusion detection system datasets","volume":"27","author":"Sarhan","year":"2022","journal-title":"Mob. Netw. Appl."},{"key":"ref_15","unstructured":"Sanda, O. (2021). Confidentiality, Integrity, and Accountability: A Novel Patient-Centric Blockchain Approach to Establish CIA Principles and Healthcare Data Privacy. [Ph.D Thesis, University of Brighton]."},{"key":"ref_16","unstructured":"(2022, March 04). Netflow v2 Features. Available online: https:\/\/cloudstor.aarnet.edu.au\/plus\/apps\/onlyoffice\/s\/Y4tLFbVjWthpVKd?fileId=5240171798."},{"key":"ref_17","unstructured":"(2022, May 02). Netflow datasets. Available online: http:\/\/staff.itee.uq.edu.au\/marius\/NIDS_datasets\/."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Sarhan, M., Layeghy, S., Moustafa, N., and Portmann, M. (2020). Netflow datasets for machine learning-based network intrusion detection systems. Big Data Technologies and Applications, Springer.","DOI":"10.1007\/978-3-030-72802-1_9"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Sarhan, M., Layeghy, S., Moustafa, N., Gallagher, M., and Portmann, M. (2021). Feature Extraction for Machine Learning-based Intrusion Detection in IoT Networks. arXiv.","DOI":"10.21203\/rs.3.rs-2035633\/v1"},{"key":"ref_20","unstructured":"(2022, March 02). ToN IoT Datasets. Available online: https:\/\/ieee-dataport.org\/documents\/toniot-datasets."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Le, T.T.H., Kim, H., Kang, H., and Kim, H. (2022). Classification and Explanation for Intrusion Detection System Based on Ensemble Trees and SHAP Method. Sensors, 22.","DOI":"10.3390\/s22031154"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Sarhan, M., Layeghy, S., and Portmann, M. (2021). An explainable machine learning-based network intrusion detection system for enabling generalisability in securing IoT networks. arXiv.","DOI":"10.21203\/rs.3.rs-2035633\/v1"},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Dias, L., Valente, S., and Correia, M. (2020, January 24\u201327). Go with the flow: Clustering dynamically-defined netflow features for network intrusion detection with DynIDS. Proceedings of the 2020 IEEE 19th International Symposium on Network Computing and Applications (NCA), Cambridge, MA, USA.","DOI":"10.1109\/NCA51143.2020.9306732"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Liu, X., Tang, Z., and Yang, B. (2019, January 27\u201329). Predicting network attacks with CNN by constructing images from NetFlow data. Proceedings of the 2019 IEEE 5th International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC) and IEEE International Conference on Intelligent Data and Security (IDS), Washington, DC, USA.","DOI":"10.1109\/BigDataSecurity-HPSC-IDS.2019.00022"},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"1885","DOI":"10.1109\/TNSM.2021.3075656","article-title":"Machine learning for netflow anomaly detection with human-readable annotations","volume":"18","author":"Krishnamurthy","year":"2021","journal-title":"IEEE Trans. Netw. Serv. Manag."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Haghighat, M.H., Foroushani, Z.A., and Li, J. (2019, January 16\u201319). SAWANT: Smart Window Based Anomaly Detection Using Netflow Traffic. Proceedings of the 2019 IEEE 19th International Conference on Communication Technology (ICCT), Xi\u2019an, China.","DOI":"10.1109\/ICCT46805.2019.8947103"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Abu Al-Haija, Q., and Al-Badawi, A. (2021). Attack-Aware IoT Network Traffic Routing Leveraging Ensemble Learning. Sensors, 22.","DOI":"10.3390\/s22010241"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Abu Al-Haija, Q., and Zein-Sabatto, S. (2020). An efficient deep-learning-based detection and classification system for cyber-attacks in IoT communication networks. Electronics, 9.","DOI":"10.20944\/preprints202011.0508.v2"},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"2287","DOI":"10.1007\/s11277-019-06986-8","article-title":"Machine learning based intrusion detection systems for IoT applications","volume":"111","author":"Verma","year":"2020","journal-title":"Wirel. Pers. Commun."},{"key":"ref_30","first-page":"176","article-title":"Towards an Effective Feature Selection in NIDS","volume":"10","author":"Stephen","year":"2018","journal-title":"Int. J. Anal. Exp. Modal Anal."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Almomani, O. (2020). A feature selection model for network intrusion detection system based on PSO, GWO, FFA and GA algorithms. Symmetry, 12.","DOI":"10.3390\/sym12061046"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Benesty, J., Chen, J., Huang, Y., and Cohen, I. (2009). Pearson correlation coefficient. Noise Reduction in Speech Processing, Springer.","DOI":"10.1007\/978-3-642-00296-0_5"},{"key":"ref_33","first-page":"1","article-title":"Feature selection: A data perspective","volume":"50","author":"Li","year":"2017","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Liu, Y., Wang, Y., and Zhang, J. (2012, January 16\u201318). New machine learning algorithm: Random forest. Proceedings of the International Conference on Information Computing and Applications, Singapore.","DOI":"10.1007\/978-3-642-34062-8_32"},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"105361","DOI":"10.1016\/j.knosys.2019.105361","article-title":"A novel selective na\u00efve Bayes algorithm","volume":"192","author":"Chen","year":"2020","journal-title":"Knowl.-Based Syst."},{"key":"ref_36","unstructured":"Brijain, M., Patel, R., Kushik, M., and Rana, K. (2014). A Survey on Decision Tree Algorithm for Classification, CiteSeerX."},{"key":"ref_37","unstructured":"Chen, T., He, T., Benesty, M., Khotilovich, V., Tang, Y., Cho, H., and Chen, K. (2022, March 02). Xgboost: Extreme gradient boosting. Available online: https:\/\/cran.microsoft.com\/snapshot\/2017-12-11\/web\/packages\/xgboost\/vignettes\/xgboost.pdf."},{"key":"ref_38","unstructured":"Powers, D.M. (2020). Evaluation: From precision, recall and F-measure to ROC, informedness, markedness and correlation. arXiv."},{"key":"ref_39","unstructured":"(2022, March 02). NetFlow Version 9 Flow-Record Format. Available online: https:\/\/www.cisco.com\/en\/US\/technologies\/tk648\/tk362\/technologies_white_paper09186a00800a3db9.html."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/16\/6164\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T00:11:13Z","timestamp":1760141473000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/16\/6164"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,8,17]]},"references-count":39,"journal-issue":{"issue":"16","published-online":{"date-parts":[[2022,8]]}},"alternative-id":["s22166164"],"URL":"https:\/\/doi.org\/10.3390\/s22166164","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,8,17]]}}}