{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,20]],"date-time":"2026-05-20T16:42:28Z","timestamp":1779295348413,"version":"3.51.4"},"reference-count":52,"publisher":"MDPI AG","issue":"23","license":[{"start":{"date-parts":[[2022,11,30]],"date-time":"2022-11-30T00:00:00Z","timestamp":1669766400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Gobierno de Arag\u00f3n","award":["T31_20R"],"award-info":[{"award-number":["T31_20R"]}]},{"name":"Gobierno de Arag\u00f3n","award":["UZ2021-TEC-01"],"award-info":[{"award-number":["UZ2021-TEC-01"]}]},{"DOI":"10.13039\/501100007041","name":"Construyendo Europa desde Arag\u00f3n","doi-asserted-by":"publisher","award":["T31_20R"],"award-info":[{"award-number":["T31_20R"]}],"id":[{"id":"10.13039\/501100007041","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100007041","name":"Construyendo Europa desde Arag\u00f3n","doi-asserted-by":"publisher","award":["UZ2021-TEC-01"],"award-info":[{"award-number":["UZ2021-TEC-01"]}],"id":[{"id":"10.13039\/501100007041","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Cybersecurity is one of the great challenges of today\u2019s world. Rapid technological development has allowed society to prosper and improve the quality of life and the world is more dependent on new technologies. Managing security risks quickly and effectively, preventing, identifying, or mitigating them is a great challenge. The appearance of new attacks, and with more frequency, requires a constant update of threat detection methods. Traditional signature-based techniques are effective for known attacks, but they are not able to detect a new attack. For this reason, intrusion detection systems (IDS) that apply machine learning (ML) techniques represent an alternative that is gaining importance today. In this work, we have analyzed different machine learning techniques to determine which ones permit to obtain the best traffic classification results based on classification performance measurements and execution times, which is decisive for further real-time deployments. The CICIDS2017 dataset was selected in this work since it contains bidirectional traffic flows (derived from traffic captures) that include benign traffic and different types of up-to-date attacks. Each traffic flow is characterized by a set of connection-related attributes that can be used to model the traffic and distinguish between attacks and normal flows. The CICIDS2017 also contains the raw network traffic captures collected during the dataset creation in a packet-based format, thus permitting to extract the traffic flows from them. Various classification techniques have been evaluated using the Weka software: naive Bayes, logistic, multilayer perceptron, sequential minimal optimization, k-nearest neighbors, adaptive boosting, OneR, J48, PART, and random forest. As a general result, methods based on decision trees (PART, J48, and random forest) have turned out to be the most efficient with F1 values above 0.999 (average obtained in the complete dataset). Moreover, multiclass classification (distinguishing between different types of attack) and binary classification (distinguishing only between normal traffic and attack) have been compared, and the effect of reducing the number of attributes using the correlation-based feature selection (CFS) technique has been evaluated. By reducing the complexity in binary classification, better results can be obtained, and by selecting a reduced set of the most relevant attributes, less time is required (above 30% of decrease in the time required to test the model) at the cost of a small performance loss. The tree-based techniques with CFS attribute selection (six attributes selected) reached F1 values above 0.990 in the complete dataset. Finally, a conventional tool like Zeek has been used to process the raw traffic captures to identify the traffic flows and to obtain a reduced set of attributes from these flows. The classification results obtained using tree-based techniques (with 14 Zeek-based attributes) were also very high, with F1 above 0.997 (average obtained in the complete dataset) and low execution times (allowing several hundred thousand flows\/s to be processed). These classification results obtained on the CICIDS2017 dataset allow us to affirm that the tree-based machine learning techniques may be appropriate in the flow-based intrusion detection problem and that algorithms, such as PART or J48, may offer a faster alternative solution to the RF technique.<\/jats:p>","DOI":"10.3390\/s22239326","type":"journal-article","created":{"date-parts":[[2022,11,30]],"date-time":"2022-11-30T08:46:41Z","timestamp":1669798001000},"page":"9326","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":34,"title":["Evaluation of Machine Learning Techniques for Traffic Flow-Based Intrusion Detection"],"prefix":"10.3390","volume":"22","author":[{"given":"Mar\u00eda","family":"Rodr\u00edguez","sequence":"first","affiliation":[{"name":"Arag\u00f3n Institute of Engineering Research (I3A), University of Zaragoza, 50018 Zaragoza, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5254-1402","authenticated-orcid":false,"given":"\u00c1lvaro","family":"Alesanco","sequence":"additional","affiliation":[{"name":"Arag\u00f3n Institute of Engineering Research (I3A), University of Zaragoza, 50018 Zaragoza, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Lorena","family":"Mehavilla","sequence":"additional","affiliation":[{"name":"Arag\u00f3n Institute of Engineering Research (I3A), University of Zaragoza, 50018 Zaragoza, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9485-7678","authenticated-orcid":false,"given":"Jos\u00e9","family":"Garc\u00eda","sequence":"additional","affiliation":[{"name":"Arag\u00f3n Institute of Engineering Research (I3A), University of Zaragoza, 50018 Zaragoza, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2022,11,30]]},"reference":[{"key":"ref_1","unstructured":"(2022, October 31). Check Point Research: Third Quarter of 2022 Reveals Increase in Cyberattacks and Unexpected Developments in Global Trends. Available online: https:\/\/blog.checkpoint.com\/2022\/10\/26\/third-quarter-of-2022-reveals-increase-in-cyberattacks\/."},{"key":"ref_2","unstructured":"di Pietro, R., and Mancini, L.V. (2008). Intrusion Detection Systems, Springer Science & Business Media."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"157761","DOI":"10.1109\/ACCESS.2021.3129775","article-title":"Research Trends in Network-Based Intrusion Detection Systems: A Review","volume":"9","author":"Kumar","year":"2021","journal-title":"IEEE Access"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1016\/j.cose.2008.08.003","article-title":"Anomaly-based network intrusion detection: Techniques, systems and challenges","volume":"28","year":"2009","journal-title":"Comput. Secur."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"El-Maghraby, R.T., Elazim, N.M.A., and Bahaa-Eldin, A.M. (2017, January 19\u201320). A survey on deep packet inspection. Proceedings of the 12th International Conference on Computer Engineering and Systems (ICCES), Cairo, Egypt.","DOI":"10.1109\/ICCES.2017.8275301"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"238","DOI":"10.1016\/j.cose.2017.05.009","article-title":"Flow-based intrusion detection: Techniques and challenges","volume":"70","author":"Umer","year":"2017","journal-title":"Comput. Secur."},{"key":"ref_7","unstructured":"(2022, October 31). Cisco IOS NetFlow. Available online: https:\/\/www.cisco.com\/c\/en\/us\/products\/ios-nx-os-software\/ios-netflow\/index.html."},{"key":"ref_8","unstructured":"(2022, October 31). Zeek Documentation. Available online: https:\/\/docs.zeek.org\/en\/master\/about.html."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"1153","DOI":"10.1109\/COMST.2015.2494502","article-title":"A survey of data mining and machine learning methods for cyber security intrusion detection","volume":"18","author":"Buczak","year":"2016","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"152379","DOI":"10.1109\/ACCESS.2021.3126834","article-title":"Machine learning in network anomaly detection: A survey","volume":"9","author":"Wang","year":"2021","journal-title":"IEEE Access"},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"19","DOI":"10.1016\/j.jnca.2015.11.016","article-title":"A survey of network anomaly detection techniques","volume":"60","author":"Ahmed","year":"2016","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"303","DOI":"10.1109\/SURV.2013.052213.00046","article-title":"Network anomaly detection: Methods systems and tools","volume":"16","author":"Bhuyan","year":"2013","journal-title":"IEEE Commun. Surv. Tuts."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"11994","DOI":"10.1016\/j.eswa.2009.05.029","article-title":"Intrusion detection by machine learning: A review","volume":"36","author":"Tsaia","year":"2009","journal-title":"Expert Syst. Appl."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"1061","DOI":"10.1007\/s00607-021-01050-5","article-title":"Machine learning approaches to network intrusion detection for contemporary internet traffic","volume":"104","author":"Ilyas","year":"2022","journal-title":"Computing"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1186\/s40537-021-00475-1","article-title":"Apply machine learning techniques to detect malicious network traffic in cloud computing","volume":"8","author":"Alshammari","year":"2021","journal-title":"J. Big Data"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"147","DOI":"10.1016\/j.cose.2019.06.005","article-title":"A survey of network-based intrusion detection data sets","volume":"86","author":"Ring","year":"2019","journal-title":"Comput. Secur."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"636","DOI":"10.1016\/j.procs.2020.03.330","article-title":"A review of the advancement in intrusion detection datasets","volume":"167","author":"Thakkar","year":"2020","journal-title":"Procedia Comput. Sci."},{"key":"ref_18","first-page":"12","article-title":"Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation","volume":"3","author":"Lippmann","year":"2000","journal-title":"DARPA Inf. Surviv. Conf. Expo."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"579","DOI":"10.1016\/S1389-1286(00)00139-0","article-title":"The 1999 DARPA off-line intrusion detection evaluation","volume":"34","author":"Lippmann","year":"2000","journal-title":"Comput. Netw."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"262","DOI":"10.1145\/382912.382923","article-title":"Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln laboratory","volume":"3","author":"McHugh","year":"2000","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Tavallaee, M., Bagheri, E., Lu, W., and Ghorbani, A.A. (2009, January 8\u201310). A detailed analysis of the KDD CUP 99 data set. Proceedings of the IEEE Symposium on Computational Intelligence for Security and Defense Applications, Ottawa, ON, Canada.","DOI":"10.1109\/CISDA.2009.5356528"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"357","DOI":"10.1016\/j.cose.2011.12.012","article-title":"Toward developing a systematic approach to generate benchmark datasets for intrusion detection","volume":"31","author":"Shiravi","year":"2012","journal-title":"Comput. Secur."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"411","DOI":"10.1016\/j.cose.2017.11.004","article-title":"UGR\u201916: A new dataset for the evaluation of cyclostationarity-based network IDSs","volume":"73","author":"Camacho","year":"2018","journal-title":"Comput. Secur."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Moustafa, N., and Slay, J. (2015, January 10\u201312). UNSW-NB15: A comprehensive data set for network intrusion detection systems. Proceedings of the Military Communications and Information Systems Conference (MilCIS), Canberra, ACT, Australia.","DOI":"10.1109\/MilCIS.2015.7348942"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Sharafaldin, I., Lashkari, A.H., and Ghorbani, A.A. (2018, January 22\u201324). Toward generating a new intrusion detection dataset and intrusion traffic char-acterization. Proceedings of the International Conference on Information Systems Security and Privacy (ICISSP), FunchalMadeira, Portugal.","DOI":"10.5220\/0006639801080116"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"177","DOI":"10.13052\/jsn2445-9739.2017.009","article-title":"Towards a reliable intrusion detection benchmark dataset","volume":"2017","author":"Sharafaldin","year":"2017","journal-title":"J. Softw. Netw."},{"key":"ref_27","unstructured":"(2022, October 10). CICFlow Meter Tool. Available online: https:\/\/www.unb.ca\/cic\/research\/applications.html."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Kubat, M. (2021). An Introduction to Machine Learning, Springer International Publishing.","DOI":"10.1007\/978-3-030-81935-4"},{"key":"ref_29","unstructured":"John, G.H. (1995). Estimating continuous distributions in bayesian classifiers. UAI\u201995: Proceedings of the Eleventh Conference on Uncertainty in Artificial Intelligence, Montreal, QC, Canada, 18\u201320 August 1995, Morgan Kaufmann."},{"key":"ref_30","unstructured":"Platt, J.C. (2008, January 17\u201319). Fast training of support vector machines using sequential minimal optimization. Proceedings of the 2008 3rd International Conference on Intelligent System and Knowledge Engineering, Xiamen, China."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"37","DOI":"10.1007\/BF00153759","article-title":"Instance-based learning algorithms","volume":"6","author":"Aha","year":"1991","journal-title":"Mach. Learn."},{"key":"ref_32","unstructured":"Freund, Y., and Schapire, R.E. (1996). Experiments with a new boosting algorithm. ICML\u201996: Proceedings of the Thirteenth International Conference on International Conference on Machine Learning, Bari, Italy, 3\u20136 July 1996, Morgan Kaufmann Publishers Inc."},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"63","DOI":"10.1023\/A:1022631118932","article-title":"Very simple classification rules perform well on most commonly used datasets","volume":"11","author":"Holte","year":"1993","journal-title":"Mach. Learn."},{"key":"ref_34","unstructured":"Ross Quinlan, J. (1994). Programs for Machine Learning, Kaufmann Publishers."},{"key":"ref_35","unstructured":"Frank, E., and Witten, I.H. (1998). Generating accurate rule sets without global optimization. ICML \u201998: Proceedings of the Fifteenth International Conference on Machine Learning, Morgan Kaufmann Publishers Inc."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1023\/A:1010933404324","article-title":"Random Forests","volume":"45","author":"Breiman","year":"2001","journal-title":"Mach. Learn."},{"key":"ref_37","unstructured":"Witten, I.H., and Frank, E. (2005). Data Mining: Practical Machine Learning Tools and Techniques, Morgan Kaufmann. [2nd ed.]."},{"key":"ref_38","unstructured":"Frank, E., Hall, M.A., and Witten, I.H. (2016). WEKA Workbench Online Appendix for \u201cData Mining: Practical Machine Learning Tools and Techniques\u201d Morgan Kaufmann, Goodreads Inc.. [4th ed.]."},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Alshammari, R., and Zincir-Heywood, A.N. (2007, January 7\u201310). A flow based approach for SSH traffic detection. Proceedings of the 2007 IEEE International Conference on Systems, Man and Cybernetics, Montreal, QC, Canada.","DOI":"10.1109\/ICSMC.2007.4414006"},{"key":"ref_40","first-page":"9","article-title":"Ensemble and Deep-Learning Methods for Two-Class and Multi-Attack Anomaly Intrusion Detection: An Empirical Study","volume":"10","author":"Elijah","year":"2019","journal-title":"(IJACSA) Int. J. Adv. Comput. Sci. Appl."},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Khalid, S., Khalil, T., and Nasreen, S. (2014, January 27\u201329). A Survey of Feature Selection and Feature Extraction Techniques in Machine Learning. Proceedings of the 2014 Science and Information Conference (SAI), London, UK.","DOI":"10.1109\/SAI.2014.6918213"},{"key":"ref_42","first-page":"329","article-title":"Feature Selection Methods: Case of Filter and Wrapper Approaches for Maximising Classification Accuracy","volume":"26","author":"Wah","year":"2018","journal-title":"Pertanika J. Sci. Technol."},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Guyon, I., Gunn, S., Nikravesh, M., and Zadeh, L.A. (2006). Feature Extraction: Foundations and Applications. Series Studies in Fuzziness and Soft Computing, Springer.","DOI":"10.1007\/978-3-540-35488-8"},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Balogun, A.O., Basri, S., Abdulkadir, S.J., and Hashim, A.S. (2019). Performance Analysis of Feature Selection Methods in Software Defect Prediction: A Search Method Approach. Appl. Sci., 9.","DOI":"10.3390\/app9132764"},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Balogun, A.O., Basri, S., Mahamad, S., Abdulkadir, S.J., Almomani, M.A., Adeyemo, V.E., Al-Tashi, Q., Mojeed, H.A., Imam, A.A., and Bajeh, A.O. (2020). Impact of Feature Selection Methods on the Predictive Performance of Software Defect Prediction Models: An Extensive Empirical Study. Symmetry, 12.","DOI":"10.3390\/sym12071147"},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Nguyen, H., Franke, K., and Petrovic, S. (2010, January 5\u201318). Improving effectiveness of intrusion detection by correlation feature selection. Proceedings of the International Conference on Availability, Reliability, and Security (ARES), Krakow, Poland.","DOI":"10.1109\/ARES.2010.70"},{"key":"ref_47","unstructured":"Hall, M.A. (1999). Correlation-Based Feature Selection for Machine Learning. [Doctoral Dissertation, University of Waikato]."},{"key":"ref_48","doi-asserted-by":"crossref","unstructured":"Engelen, G., Rimmer, V., and Joosen, W. (2021, January 27\u201327). Troubleshooting an intrusion detection dataset: The CICIDS2017 case study. Proceedings of the 2021 IEEE Symposium on Security and Privacy Workshops, SPW, San Francisco, CA, USA.","DOI":"10.1109\/SPW53761.2021.00009"},{"key":"ref_49","doi-asserted-by":"crossref","unstructured":"Rosay, A., Cheval, E., Carlier, F., and Leroux, P. (2022, January 9\u201311). Network intrusion detection: A comprehensive analysis of CIC-IDS2017. Proceedings of the 8th International Conference on Information Systems Security and Privacy (ICISSP 2022), Online.","DOI":"10.5220\/0010774000003120"},{"key":"ref_50","doi-asserted-by":"crossref","unstructured":"Abdulhammed, R., Musafer, H., Alessa, A., Faezipour, M., and Abuzneid, A. (2019). Features dimensionality reduction approaches for machine learning based network intrusion detection. Electronics, 8.","DOI":"10.3390\/electronics8030322"},{"key":"ref_51","doi-asserted-by":"crossref","first-page":"132911","DOI":"10.1109\/ACCESS.2020.3009843","article-title":"CICIDS-2017 dataset feature analysis with information gain for anomaly detection","volume":"8","author":"Stiawan","year":"2020","journal-title":"IEEE Access"},{"key":"ref_52","first-page":"012029","article-title":"Analysis on network traffic features for designing machine learning based IDS","volume":"1","author":"Meemongkolkiat","year":"1993","journal-title":"J. Phys. Conf. Series."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/23\/9326\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T01:30:14Z","timestamp":1760146214000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/23\/9326"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,11,30]]},"references-count":52,"journal-issue":{"issue":"23","published-online":{"date-parts":[[2022,12]]}},"alternative-id":["s22239326"],"URL":"https:\/\/doi.org\/10.3390\/s22239326","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,11,30]]}}}