Author Contributions
Conceptualization, L.D.; methodology, L.D.; software, L.D.; validation, L.D.; formal analysis, L.D.; investigation, L.D.; resources, L.D. and IDLab-Imec; data curation, L.D.; writing—original draft preparation, L.D.; writing—review and editing, L.D., M.V., T.W. and B.V.; visualization, L.D.; supervision, T.W., B.V. and F.D.T.; project administration, L.D.; funding acquisition, T.W., B.V. and F.D.T. All authors have read and agreed to the published version of the manuscript.
  
    
  
  
    Figure 1.
      Visual overview of the experimental methodology.
  
 
   Figure 1.
      Visual overview of the experimental methodology.
  
 
  
    
  
  
    Figure 2.
      Performance profile of the set of linear SVMs, trained on the first subset of DoS traffic in CSE-CIC-IDS2018, when evaluating the second DoS subset from the same dataset.
  
 
   Figure 2.
      Performance profile of the set of linear SVMs, trained on the first subset of DoS traffic in CSE-CIC-IDS2018, when evaluating the second DoS subset from the same dataset.
  
 
  
    
  
  
    Figure 3.
      Performance comparison of the set of RBF-kernel SVMs, trained on the second subset of DDoS traffic in CSE-CIC-IDS2018, when evaluating its own test set (a) and the same set’s performance when evaluating the samples of the first DDoS subset of the same dataset (b).
  
 
   Figure 3.
      Performance comparison of the set of RBF-kernel SVMs, trained on the second subset of DDoS traffic in CSE-CIC-IDS2018, when evaluating its own test set (a) and the same set’s performance when evaluating the samples of the first DDoS subset of the same dataset (b).
  
 
  
    
  
  
    Figure 4.
      A visual representation of the broken link between training volume and model performance, observed in the breakdown of models trained on subset 2 of infiltration traffic (a) when classifying their subset’s test set and the same set of models’ performance on subset 1 of infiltration traffic (b).
  
 
   Figure 4.
      A visual representation of the broken link between training volume and model performance, observed in the breakdown of models trained on subset 2 of infiltration traffic (a) when classifying their subset’s test set and the same set of models’ performance on subset 1 of infiltration traffic (b).
  
 
  
    
  
  
    Figure 5.
      Best-case generalized performance of tree-based ensemble classifiers trained to recognize bruteforce attacks from CIC-IDS2017, when evaluating the bruteforce samples of CSE-CIC-IDS2018.
  
 
   Figure 5.
      Best-case generalized performance of tree-based ensemble classifiers trained to recognize bruteforce attacks from CIC-IDS2017, when evaluating the bruteforce samples of CSE-CIC-IDS2018.
  
 
  
    
  
  
    Figure 6.
      Generalized performance of the nearest centroids models when evaluating L7-DoS attacks between datasets and their resistance to the removal of highly discriminative features prior to training.
  
 
   Figure 6.
      Generalized performance of the nearest centroids models when evaluating L7-DoS attacks between datasets and their resistance to the removal of highly discriminative features prior to training.
  
 
  
    
  
  
    Figure 7.
      Generalized performance of logistic regression models on the L7-DoS attack class, which show reasonable consistency.
  
 
   Figure 7.
      Generalized performance of logistic regression models on the L7-DoS attack class, which show reasonable consistency.
  
 
  
    
  
  
    Figure 8.
      Best-case generalized performance by gradient-boosted, regularized decision tree ensembles on the botnet class.
  
 
   Figure 8.
      Best-case generalized performance by gradient-boosted, regularized decision tree ensembles on the botnet class.
  
 
  
    
  
  
    Figure 9.
      Generalized performance on the DDoS attack class by tree-based models can happen with modest losses in performance, but the unpredictability with regard to stability is a major downside (a,b).
  
 
   Figure 9.
      Generalized performance on the DDoS attack class by tree-based models can happen with modest losses in performance, but the unpredictability with regard to stability is a major downside (a,b).
  
 
  
    
  
  
    Figure 10.
      Generalized performance of DDoS models pretrained on CSE-CIC-IDS2018 DDoS has the potential to be high, but the volatility precludes reliability.
  
 
   Figure 10.
      Generalized performance of DDoS models pretrained on CSE-CIC-IDS2018 DDoS has the potential to be high, but the volatility precludes reliability.
  
 
  
    
  
  
    Figure 11.
      A rare occurrence of stable, generalized performance by a set of tree-based models. The best general performance exists for models that had little exposure to training data (<2.5% of sample count). This observation is very common, especially for the tree-based learners.
  
 
   Figure 11.
      A rare occurrence of stable, generalized performance by a set of tree-based models. The best general performance exists for models that had little exposure to training data (<2.5% of sample count). This observation is very common, especially for the tree-based learners.
  
 
  
    
  
  
    Figure 12.
      More observations of stable, general performance on the DDoS class by tree-based meta-estimators.
  
 
   Figure 12.
      More observations of stable, general performance on the DDoS class by tree-based meta-estimators.
  
 
  
    
  
  
    Figure 13.
      The constant behavior of nearest-centroid models when blindly evaluating DDoS samples from CIC-DDoS-2019. The method maintains perfect recall, but precision is heavily affected, falling back to a mere 50%.
  
 
   Figure 13.
      The constant behavior of nearest-centroid models when blindly evaluating DDoS samples from CIC-DDoS-2019. The method maintains perfect recall, but precision is heavily affected, falling back to a mere 50%.
  
 
  
    
  
  
    Figure 14.
      Feature scaling prior to training has a significant impact on performance in the interdataset case (a,b). The same methods did not show this weakness when just evaluating intradataset.
  
 
   Figure 14.
      Feature scaling prior to training has a significant impact on performance in the interdataset case (a,b). The same methods did not show this weakness when just evaluating intradataset.
  
 
  
    
  
  
    Figure 15.
      Even though performance is not high in absolute terms, the regression models and SVMs can exhibit clustered performance metrics. If these can be lifted to a higher plateau, then the methods could become viable.
  
 
   Figure 15.
      Even though performance is not high in absolute terms, the regression models and SVMs can exhibit clustered performance metrics. If these can be lifted to a higher plateau, then the methods could become viable.
  
 
  
    
  
  
    Figure 16.
      Another instance where, contrary to standard assumptions, increasing the training volume has a clear negative effect on generalized performance (a,b).
  
 
   Figure 16.
      Another instance where, contrary to standard assumptions, increasing the training volume has a clear negative effect on generalized performance (a,b).
  
 
  
    
  
  
    Figure 17.
      RBF-SVMs pretrained on the available DDoS subsets in CSE-CIC-IDS2018 have significantly different, but self-consistent general performance profiles on the UDP-lag attack subsets of CIC-DDoS2019.
  
 
   Figure 17.
      RBF-SVMs pretrained on the available DDoS subsets in CSE-CIC-IDS2018 have significantly different, but self-consistent general performance profiles on the UDP-lag attack subsets of CIC-DDoS2019.
  
 
  
    
  
  
    Table 1.
    CIC-IDS2017 Class Label Distribution.
  
 
  
      Table 1.
    CIC-IDS2017 Class Label Distribution.
      
        | Dataset | Subset Nr. | Attack Type | #Benign | #Malicious | 
|---|
|  | 0 | FTP-SSH brute force | 432074 | 13835 | 
|  | 1 | HTTP-DoS/DDoS | 440031 | 252672 | 
|  | 2 | Web attacks | 168186 | 2180 | 
| CIC-IDS2017 | 3 | Infiltration | 288566 | 36 | 
|  | 4 | Botnet | 189067 | 1966 | 
|  | 5 | DDoS | 128027 | 97718 | 
|  | 6 | Port scan | 158930 | 127537 | 
      
 
  
    
  
  
    Table 2.
    CIC-DoS2017 Class Label Distribution.
  
 
  
      Table 2.
    CIC-DoS2017 Class Label Distribution.
      
        | Dataset | Subset Nr. | Attack Type | #Benign | #Malicious | 
|---|
| CIC-DoS-2017 | 0 | Combined | 248896 | 42706 | 
      
 
  
    
  
  
    Table 3.
    CSE-CIC-IDS2018 Class Label Distribution.
  
 
  
      Table 3.
    CSE-CIC-IDS2018 Class Label Distribution.
      
        | Dataset | Subset Nr. | Attack Type | #Benign | #Malicious | 
|---|
|  | 0 | FTP-SSH brute force | 667626 | 380949 | 
|  | 1 | HTTP-DoS | 996077 | 52498 | 
|  | 2 | HTTP-DoS | 446772 | 601802 | 
|  | 3 | DDoS | 576191 | 472384 | 
| CSE-CIC-IDS2018 | 4 | DDoS | 687742 | 360833 | 
|  | 5 | Web attacks | 1048213 | 362 | 
|  | 6 | Web attacks | 1048009 | 566 | 
|  | 7 | Infiltration | 544200 | 68871 | 
|  | 8 | Infiltration | 238037 | 93063 | 
|  | 9 | Botnet | 762384 | 286191 | 
      
 
  
    
  
  
    Table 4.
    CIC-DDoS-2019 Class Label Distribution.
  
 
  
      Table 4.
    CIC-DDoS-2019 Class Label Distribution.
      
        | Dataset | Subset Nr. | Attack Type | #Benign | #Malicious | 
|---|
|  | 0 | DNS | 3403 | 3403 | 
|  | 1, 11 | LDAP | 1613, 5125 | 1613, 5125 | 
|  | 2, 12 | MSSQL | 2007, 2795 | 2007, 2795 | 
|  | 3, 13 | NetBIOS | 1708, 1322 | 1708, 1322 | 
|  | 4 | NTP | 14366 | 14366 | 
| CIC-DDoS-2019 | 5 | SNMP | 1508 | 1508 | 
|  | 6 | SSDP | 763 | 763 | 
|  | 7, 16 | UDP | 2158, 3135 | 2158, 3135 | 
|  | 8, 15 | SYN | 393, 35791 | 393, 35791 | 
|  | 9 | TFTP | 25248 | 25248 | 
|  | 10, 17 | UDPLag | 3706, 4069 | 3706, 4069 | 
|  | 14 | Portmap | 4735 | 4735 | 
      
 
  
    
  
  
    Table 5.
    Most discriminative features of CSE-CIC-IDS2018.
  
 
  
      Table 5.
    Most discriminative features of CSE-CIC-IDS2018.
      
        | Dataset | Most Discriminative | 
|---|
| CSE-CIC-IDS2018 | 1–5 | Timestamp, Init Win bytes forward, Destination Port, Flow IAT Min, Fwd Packets/s | 
| 5–10 | Fwd Packet Length Std, Avg Fwd Segment Size, Flow Duration, Fwd IAT Min, ECE Flag Count | 
| 10–15 | Fwd IAT Mean, Init Win bytes backward, Bwd Packets/s, Idle Max, Fwd IAT Std | 
| 15–20 | FIN Flag Count, Fwd Header Length, SYN Flag Count, Fwd Packet Length Max, Flow Packets | 
      
 
  
    
  
  
    Table 6.
    Mapping of the subsets of CSE-CIC-IDS2018 to their counterpart in CIC-IDS2017.
  
 
  
      Table 6.
    Mapping of the subsets of CSE-CIC-IDS2018 to their counterpart in CIC-IDS2017.
      
        | Attack Class | 2018 | Tools | 2017 | Tools | 
|---|
| Brute force | 0 | Patator.py (FTP/SSH) | 0 | Same attack tool | 
| DoS layer-7 | 1 | Slowloris Slowhttptest Hulk Goldeneye | 1 | Same attack tools | 
| Heartbleed | 2 | Heartleech | 1 | Heartleech | 
| DDoS | 3 | Low Orbit Ion Cannon (LOIC) (HTTP) | 5 | LOIC HTTP | 
| DDoS | 4 | LOIC-UDP, High Orbit Ion Cannon (HOIC) | 5 | LOIC HTTP | 
| Web attacks | 5 | Selenium (XSS, bruteforce), SQLi vs. DVWA | 2 | Same attack tools | 
| Web attacks | 6 | Selenium (XSS, bruteforce), SQLi vs. DVWA | 2 | Same attack tools | 
| Infiltration | 7 | Nmap, Dropbox download | 3 | Metasploit, Dropbox download | 
| Infiltration | 8 | Nmap, Dropbox download | 3 | Metasploit, Dropbox download | 
| Botnet | 9 | Zeus, ARES | 4 | ARES | 
| Port scan | - | - | 6 | Various Nmap commands | 
      
 
  
    
  
  
    Table 7.
    Classification metrics for the best 3 models per attack class, both for baseline (B) and generalized (G) classification, with mention of the preprocessing parameters.
  
 
  
      Table 7.
    Classification metrics for the best 3 models per attack class, both for baseline (B) and generalized (G) classification, with mention of the preprocessing parameters.
      
        | B/G | Class | M | Algorithm | Balanced Acc. | F1 | Precision | Recall | Scaling | Reduction | % Train | 
|---|
| B | 18-0.Bruteforce | 18-0 | rforest | 100.00 | 100.00 | 100.00 | 100.00 | MinMax | 0 | 0.1 | 
| gradboost | 100.00 | 99.99 | 99.99 | 100.00 | No | 0 | 0.1 | 
| bag | 99.99 | 99.98 | 99.95 | 100.00 | No | 0 | 0.1 | 
| G | 17-0.Bruteforce | 18-0 | gradboost | 99.81 | 94.61 | 89.79 | 99.98 | No | 0 | 0.1 | 
| dtree | 99.81 | 94.59 | 89.75 | 99.98 | No | 0 | 0.5 | 
| gradboost | 99.76 | 94.57 | 89.79 | 99.89 | No | 0 | 1.0 | 
| B | 18-1.L7-DoS | 18-1 | ada | 100.00 | 99.93 | 99.87 | 100.00 | MinMax | 0 | 0.5 | 
| dtree | 100.00 | 99.91 | 99.82 | 100.00 | No | 0 | 0.5 | 
| dtree | 99.87 | 99.61 | 99.47 | 99.76 | Z | 0 | 0.1 | 
| B | 18-2.L7-DoS | 18-2 | xgboost | 99.98 | 99.99 | 99.97 | 100.00 | MinMax | 0 | 0.1 | 
| rforest | 99.98 | 99.99 | 99.98 | 100.00 | MinMax | 0 | 0.1 | 
| dtree | 99.98 | 99.99 | 99.97 | 100.00 | MinMax | 0 | 0.1 | 
| G | 17-1.L7-DoS | 18-1 | ada | 93.53 | 92.54 | 96.43 | 88.94 | No | 0 | 11.0 | 
| ada | 92.64 | 91.11 | 93.57 | 88.78 | MinMax | 0 | 11.0 | 
| ada | 87.84 | 83.89 | 79.31 | 89.02 | No | 0 | 1.0 | 
| G | 17-1.L7-DoS | 18-2 | extratree | 88.22 | 84.26 | 79.19 | 90.04 | No | 5 | 6.0 | 
| extratree | 87.51 | 82.80 | 74.03 | 93.94 | No | 0 | 6.0 | 
| extratree | 88.46 | 84.58 | 79.71 | 90.09 | No | 5 | 11.0 | 
| B | 18-3.DDoS | 18-3 | gradboost | 99.81 | 99.83 | 99.87 | 99.79 | MinMax | 0 | 0.1 | 
| xgboost | 99.80 | 99.83 | 99.72 | 99.94 | MinMax | 0 | 0.1 | 
| knn | 99.80 | 99.83 | 99.72 | 99.94 | MinMax | 0 | 0.1 | 
| B | 18-4.DDoS | 18-4 | extratree | 99.99 | 100.00 | 99.99 | 100.00 | No | 20 | 0.1 | 
| ada | 99.98 | 99.99 | 99.97 | 100.00 | MinMax | 5 | 0.1 | 
| extratree | 99.98 | 99.99 | 99.98 | 100.00 | Z | 5 | 0.1 | 
| G | 17-5.DDoS | 18-3 | knn | 91.29 | 90.70 | 98.99 | 83.70 | Z | 15 | 0.1 | 
| knn | 88.88 | 87.70 | 99.18 | 78.61 | Z | 5 | 0.1 | 
| binlr | 86.58 | 89.05 | 86.73 | 91.50 | Z | 15 | 0.1 | 
| G | 17-5.DDoS | 18-4 | linsvc | 89.42 | 90.81 | 90.91 | 90.71 | MinMax | 15 | 1.0 | 
| xgboost | 86.68 | 88.79 | 87.66 | 89.95 | MinMax | 15 | 6.0 | 
| linsvc | 81.02 | 86.82 | 78.29 | 97.42 | MinMax | 15 | 0.5 | 
| B | 18-5.Web | 18-5 | xgboost | 96.96 | 96.87 | 100.00 | 93.92 | Z | 0 | 6.0 | 
| xgboost | 98.90 | 98.88 | 100.00 | 97.79 | MinMax | 0 | 11.0 | 
| dtree | 97.93 | 91.80 | 88.07 | 95.86 | Z | 0 | 6.0 | 
| B | 18-6.Web | 18-6 | xgboost | 95.49 | 95.19 | 99.81 | 90.99 | Z | 0 | 11.0 | 
| xgboost | 96.82 | 96.28 | 99.07 | 93.64 | No | 0 | 16.0 | 
| xgboost | 96.29 | 96.06 | 99.81 | 92.58 | MinMax | 0 | 16.0 | 
| G | 17-2.Web | 18-5 | ncentroid | 90.34 | 42.42 | 28.44 | 83.39 | MinMax | 15 | 35.0 | 
| ncentroid | 84.62 | 9.51 | 5.01 | 91.79 | No | 15 | 1.0 | 
| ncentroid | 84.62 | 9.51 | 5.01 | 91.79 | No | 20 | 1.0 | 
| G | 17-2.Web | 18-6 | xgboost | 91.13 | 71.47 | 62.81 | 82.89 | MinMax | 0 | 21.0 | 
| ada | 91.24 | 30.87 | 18.74 | 87.39 | MinMax | 15 | 0.5 | 
| ada | 94.54 | 46.19 | 30.87 | 91.74 | MinMax | 0 | 35.0 | 
| B | 18-7.Infil | 18-7 | gradboost | 74.88 | 37.13 | 23.88 | 83.39 | Z | 0 | 0.1 | 
| ada | 69.73 | 46.62 | 47.32 | 45.93 | No | 0 | 6.0 | 
| ada | 69.47 | 46.50 | 47.94 | 45.14 | Z | 0 | 6.0 | 
| B | 18-8.Infil | 18-8 | dtree | 93.31 | 86.96 | 79.06 | 96.63 | No | 0 | 1.0 | 
| dtree | 92.33 | 86.35 | 79.95 | 93.87 | MinMax | 0 | 1.0 | 
| dtree | 92.08 | 85.80 | 78.96 | 93.95 | MinMax | 0 | 0.5 | 
| G | 17-3.Infil | 18-7 | ada | 85.19 | 0.40 | 0.20 | 75.00 | Z | 15 | 0.1 | 
| bag | 84.06 | 1.30 | 0.65 | 69.44 | MinMax | 5 | 0.1 | 
| gradboost | 83.43 | 0.18 | 0.09 | 77.78 | MinMax | 20 | 1.0 | 
| G | 17-3.Infil | 18-8 | dtree | 88.84 | 0.69 | 0.35 | 80.56 | Z | 15 | 1.0 | 
| gradboost | 83.71 | 0.13 | 0.07 | 83.33 | MinMax | 10 | 0.5 | 
| gradboost | 81.07 | 0.12 | 0.06 | 77.78 | Z | 20 | 0.1 | 
| B | 18-9.Botnet | 18-9 | rforest | 99.91 | 99.88 | 99.89 | 99.87 | Z | 0 | 0.1 | 
| extratree | 99.88 | 99.86 | 99.95 | 99.77 | Z | 0 | 0.1 | 
| extratree | 99.89 | 99.81 | 99.77 | 99.86 | No | 0 | 0.1 | 
| G | 17-4.Botnet | 18-9 | gradboost | 82.07 | 78.13 | 99.92 | 64.14 | No | 0 | 0.5 | 
| bag | 82.07 | 78.10 | 99.84 | 64.14 | No | 0 | 1.0 | 
| xgboost | 82.06 | 77.53 | 97.98 | 64.14 | No | 0 | 0.5 | 
      
 
  
    
  
  
    Table 8.
    CIC-DoS2017 data classification metrics by DoS models pretrained on CSE-CIC-IDS2018 for the best 3 models per attack class, both for baseline (B) and generalized (G) classification, with mention of the preprocessing parameters.
  
 
  
      Table 8.
    CIC-DoS2017 data classification metrics by DoS models pretrained on CSE-CIC-IDS2018 for the best 3 models per attack class, both for baseline (B) and generalized (G) classification, with mention of the preprocessing parameters.
      
        | B/G | Class | M | Algorithm | Balanced Acc. | F1 | Precision | Recall | Scaling | Reduction | % Train | 
|---|
| B | 18-1.L7-DoS | 18-1 | ada | 100.00 | 99.93 | 99.87 | 100.00 | MinMax | 0 | 0.5 | 
| dtree | 100.00 | 99.91 | 99.82 | 100.00 | No | 0 | 0.5 | 
| dtree | 99.87 | 99.61 | 99.47 | 99.76 | Z | 0 | 0.1 | 
| B | 18-2.L7-DoS | 18-2 | xgboost | 99.98 | 99.99 | 99.97 | 100.00 | MinMax | 0 | 0.1 | 
| rforest | 99.98 | 99.99 | 99.98 | 100.00 | MinMax | 0 | 0.1 | 
| dtree | 99.98 | 99.99 | 99.97 | 100.00 | MinMax | 0 | 0.1 | 
| G | 0.L7-DoS | 18-1 | ncentroid | 79.56 | 60.07 | 52.68 | 69.89 | No | 10 | 0.1 | 
| ncentroid | 78.74 | 59.31 | 52.58 | 68.01 | No | 0 | 0.5 | 
| ncentroid | 78.65 | 58.89 | 51.83 | 68.17 | No | 0 | 1.0 | 
| G | 0.L7-DoS | 18-2 | bag | 75.56 | 48.15 | 35.68 | 74.02 | MinMax | 5 | 0.1 | 
| ada | 74.64 | 44.63 | 30.99 | 79.74 | Z | 20 | 0.5 | 
| bag | 71.61 | 45.84 | 36.49 | 61.63 | MinMax | 10 | 0.5 | 
      
 
  
    
  
  
    Table 9.
    Classification metrics for the best 3 models per attack class, both for baseline (B) and generalized (G) classification, with mention of the preprocessing parameters.
  
 
  
      Table 9.
    Classification metrics for the best 3 models per attack class, both for baseline (B) and generalized (G) classification, with mention of the preprocessing parameters.
      
        | B/G | Class | M | Algorithm | Balanced Acc. | F1 | Precision | Recall | Scaling | Reduction | % Train | 
|---|
| B | 18-3.DDoS | 18-3 | gradboost | 99.81 | 99.83 | 99.87 | 99.79 | MinMax | 0 | 0.1 | 
| xgboost | 99.80 | 99.83 | 99.72 | 99.94 | MinMax | 0 | 0.1 | 
| knn | 99.80 | 99.83 | 99.72 | 99.94 | MinMax | 0 | 0.1 | 
| B | 18-4.DDoS | 18-4 | extratree | 99.99 | 100.00 | 99.99 | 100.00 | No | 20 | 0.1 | 
| ada | 99.98 | 99.99 | 99.97 | 100.00 | MinMax | 5 | 0.1 | 
| extratree | 99.98 | 99.99 | 99.98 | 100.00 | Z | 5 | 0.1 | 
| G | 19-0.DNS | 18-4 | bag | 91.28 | 91.96 | 85.35 | 99.68 | Z | 15 | 0.1 | 
| 18-4 | xgboost | 88.45 | 89.61 | 81.40 | 99.68 | Z | 15 | 0.5 | 
| 18-4 | xgboost | 96.15 | 96.29 | 92.92 | 99.91 | MinMax | 15 | 21.0 | 
| G | 19-1.LDAP | 18-3 | xgboost | 98.98 | 98.98 | 98.35 | 99.63 | MinMax | 10 | 1.0 | 
| 18-3 | ada | 98.11 | 98.13 | 96.97 | 99.32 | Z | 0 | 6.0 | 
| 18-3 | dtree | 97.98 | 98.01 | 96.74 | 99.32 | Z | 20 | 6.0 | 
| G | 19-11.LDAP | 18-3 | ada | 87.98 | 88.27 | 86.16 | 90.50 | MinMax | 5 | 1.0 | 
| 18-3 | rforest | 87.54 | 87.90 | 85.44 | 90.50 | MinMax | 0 | 0.5 | 
| 18-3 | dtree | 87.69 | 88.02 | 85.68 | 90.50 | MinMax | 20 | 1.0 | 
| G | 19-2.MSSQL | 18-3 | ada | 93.64 | 94.02 | 88.72 | 100.00 | MinMax | 5 | 0.1 | 
| 18-3 | rforest | 93.69 | 94.07 | 88.80 | 100.00 | MinMax | 20 | 0.5 | 
| 18-3 | bag | 93.64 | 94.02 | 88.72 | 100.00 | MinMax | 5 | 1.0 | 
| G | 19-12.MSSQL | 18-3 | rforest | 91.75 | 92.38 | 85.86 | 99.96 | MinMax | 0 | 0.5 | 
| 18-3 | ada | 91.23 | 91.94 | 85.08 | 100.00 | MinMax | 5 | 0.1 | 
| 18-3 | ada | 91.32 | 92.01 | 85.21 | 100.00 | MinMax | 5 | 1.0 | 
| G | 19-3.NetBIOS | 18-3 | extratree | 99.77 | 99.77 | 99.77 | 99.77 | MinMax | 10 | 6.0 | 
| 18-3 | xgboost | 97.10 | 97.05 | 98.91 | 95.25 | MinMax | 10 | 1.0 | 
| 18-4 | extratree | 99.30 | 99.29 | 99.70 | 98.89 | MinMax | 15 | 11.0 | 
| G | 19-13.NetBIOS | 18-3 | xgboost | 97.99 | 98.03 | 96.28 | 99.85 | MinMax | 10 | 1.0 | 
| 18-3 | extratree | 99.77 | 99.77 | 99.70 | 99.85 | MinMax | 10 | 6.0 | 
| 18-3 | gradboost | 99.36 | 99.36 | 98.88 | 99.85 | Z | 20 | 6.0 | 
| G | 19-4.NTP | 18-3 | extratree | 99.48 | 99.48 | 99.53 | 99.44 | MinMax | 10 | 6.0 | 
| 18-3 | xgboost | 95.30 | 95.12 | 98.92 | 91.60 | MinMax | 10 | 1.0 | 
| 18-4 | extratree | 99.54 | 99.54 | 99.65 | 99.43 | MinMax | 20 | 11.0 | 
| G | 19-5.SNMP | 18-3 | xgboost | 95.72 | 95.58 | 98.73 | 92.63 | MinMax | 10 | 1.0 | 
| 18-3 | bag | 94.86 | 95.11 | 90.67 | 100.00 | MinMax | 0 | 1.0 | 
| 18-3 | bag | 94.72 | 94.99 | 90.46 | 100.00 | MinMax | 20 | 1.0 | 
| G | 19-6.SSDP | 18-3 | extratree | 99.34 | 99.34 | 99.60 | 99.08 | MinMax | 10 | 6.0 | 
| 18-3 | extratree | 98.95 | 98.94 | 99.87 | 98.03 | MinMax | 20 | 11.0 | 
| 18-4 | extratree | 98.62 | 98.61 | 99.60 | 97.64 | MinMax | 15 | 11.0 | 
| G | 19-7.UDP | 18-3 | extratree | 99.75 | 99.75 | 99.63 | 99.86 | MinMax | 10 | 6.0 | 
| 18-4 | extratree | 99.65 | 99.65 | 99.58 | 99.72 | MinMax | 15 | 11.0 | 
| 18-3 | gradboost | 96.94 | 97.03 | 94.39 | 99.81 | MinMax | 15 | 6.0 | 
| G | 19-16.UDP | 18-3 | extratree | 99.47 | 99.47 | 99.43 | 99.52 | MinMax | 10 | 6.0 | 
| 18-4 | extratree | 99.20 | 99.20 | 99.05 | 99.36 | MinMax | 15 | 11.0 | 
| 18-3 | gradboost | 94.51 | 94.80 | 90.11 | 100.00 | MinMax | 15 | 6.0 | 
| G | 19-8.SYN | 18-4 | knn | 98.21 | 98.25 | 96.55 | 100.00 | Z | 20 | 0.5 | 
| 18-3 | knn | 96.68 | 96.66 | 97.41 | 95.92 | Z | 5 | 0.1 | 
| 18-3 | rbfsvc | 95.54 | 95.39 | 98.64 | 92.35 | Z | 20 | 0.5 | 
| G | 19-15.SYN | 18-4 | knn | 97.81 | 97.85 | 96.00 | 99.78 | Z | 20 | 0.5 | 
| 18-3 | rbfsvc | 94.63 | 94.84 | 91.25 | 98.71 | MinMax | 5 | 1.0 | 
| 18-3 | rbfsvc | 94.14 | 94.41 | 90.26 | 98.96 | MinMax | 15 | 1.0 | 
| G | 19-9.TFTP | 18-3 | ada | 92.50 | 92.97 | 87.49 | 99.18 | MinMax | 5 | 0.1 | 
| 18-3 | rforest | 92.67 | 93.12 | 87.75 | 99.18 | MinMax | 20 | 0.5 | 
| 18-3 | rforest | 92.53 | 92.99 | 87.53 | 99.18 | MinMax | 0 | 0.5 | 
| G | 19-10.UDPLag | 18-3 | knn | 91.81 | 91.30 | 97.37 | 85.94 | Z | 5 | 0.1 | 
| 18-3 | ncentroid | 91.73 | 91.27 | 96.62 | 86.48 | Z | 15 | 0.1 | 
| 18-3 | ncentroid | 91.57 | 91.11 | 96.27 | 86.48 | Z | 5 | 0.1 | 
| G | 19-17.UDPLag | 18-3 | ncentroid | 90.51 | 89.86 | 96.47 | 84.10 | Z | 15 | 0.5 | 
| 18-3 | knn | 89.75 | 88.89 | 97.01 | 82.03 | Z | 10 | 0.1 | 
| 18-3 | ncentroid | 89.13 | 88.56 | 93.52 | 84.10 | Z | 15 | 0.1 | 
| G | 19-14.Portmap | 18-3 | gradboost | 99.14 | 99.14 | 99.34 | 98.94 | Z | 20 | 6.0 | 
| 18-3 | dtree | 93.05 | 93.44 | 88.51 | 98.94 | Z | 20 | 1.0 | 
| 18-4 | extratree | 97.06 | 97.13 | 95.10 | 99.24 | MinMax | 10 | 11.0 |