SEDAT: A Stacked Ensemble Learning-Based Detection Model for Multiscale Network Attacks

Abstract

Anomaly detection for network traffic aims to analyze the characteristics of network traffic in order to discover unknown attacks. Currently, existing detection methods have achieved promising results against high-intensity attacks that aim to interrupt the operation of the target system. In reality, attack behaviors that are commonly exhibited are highly concealed and disruptive. In addition, the attack scales are flexible and variable. In this paper, we construct a multiscale network intrusion behavior dataset, which includes three attack scales and two multiscale attack patterns based on probability distribution. Specifically, we propose a stacked ensemble learning-based detection model for anomalous traffic (or SEDAT for short) to defend against highly concealed multiscale attacks. The model employs a random forest (RF)-based method to select features and introduces multiple base learning autoencoders (AEs) to enhance the representation of multiscale attack behaviors. In addressing the challenge of a single model’s inability to capture the regularities of multiscale attack behaviors, SEDAT is capable of adapting to the complex multiscale characteristics in network traffic, enabling the prediction of network access behavior. Comparative experiments demonstrate that SEDAT exhibits superior detection capabilities in multiscale network attacks. In particular, SEDAT achieves an improvement of at least 5% accuracy over baseline methods for detecting multiscale attacks.

1. Introduction

In recent years, cyberattacks have shown the characteristics of large scope, high frequency, and long duration, causing significant distress to governments, organizations, businesses, and individuals [1]. For instance, in February 2024, the University of Cambridge and several universities in the United Kingdom (UK) experienced a distributed denial of service (DDoS) attack. The attack disrupted network services at several higher education institutions in the UK [2]. In June 2024, a major cyberattack on National Health Service (NHS) hospitals in the UK resulted in the postponement of numerous surgeries, with a particular impact on blood transfusions [3]. However, as forms of cyberattacks evolve, traditional cyberattacks aiming at consuming resources and occupying bandwidth are no longer favored by attackers due to the high cost of such attacks and the lack of concealment [4]. Network attackers typically initiate their activities by simulating general access behavior. They then launch multiscale attacks involving multiple stages, long duration, and high concealment to occupy resources. Although an attack may not immediately result in network or system paralysis or disrupt general network services, the highly concealed and persistent attack traffic ultimately impacts the majority of users accessing the target network.

In real-world scenarios, attackers typically launch highly concealed multiscale attacks targeting servers. A multiscale attack can be adjusted to blend in with benign traffic, resulting in longer latency times and greater detection challenges. Currently, existing detection methods for high-intensity attacks have achieved promising results. The majority of methods are based on deep learning (DL) models, such as the support vector machine (SVM) [5,6], RF [7,8], Adaboost [9], deep neural network (DNN) [10,11], convolutional neural network (CNN) [12,13,14,15], and generative adversarial network (GAN) [16,17]. Nevertheless, most of them predominantly concentrate on automatically extracting attack features and validating their models on benchmark datasets in order to achieve superior detection results. For multiscale network attacks, traditional methods do not consider the variation in attack scales and the iterative update of attack patterns. Meanwhile, they may fail to capture scale-related information about attacks as they offer uniform data representations of attack behavior. In addition, these methods focus solely on detection performance on benchmark datasets, overlooking the effectiveness bounds of the detection methods.

Attackers typically launch attacks through network connections. Therefore, using AI techniques to identify patterns in network traffic that do not conform to expected general behavior is a promising approach. In this paper, we propose a stacked ensemble learning-based detection model for anomalous traffic to defend against highly concealed multiscale network attacks. The stacked ensemble learning model includes multiple base models and a meta-model. The outputs from the base models are utilized as inputs for the meta-model. The process effectively integrates multiscale attack data for constructing the ultimate meta-model [18]. First, we construct a novel multiscale network intrusion behavior dataset including three attack scales (light, medium, and heavy) and two multiscale attack patterns based on probability distributions (normal distribution and exponential distribution). Second, we preprocess the data by extracting effective features related to attack behavior. Subsequently, the RF algorithm is employed to select the most influential features. Additionally, base learning AEs are designed for different attack scales to achieve comprehensive feature extraction. Finally, a stacked ensemble learning model is constructed for detecting anomalies and threats in the network traffic. We conduct comparative experiments with baseline models (RAIDS [19], NDAES [20], multilayer perceptron (MLP) [21], DNN [22], RF [23], and SVM [24]) and benchmark datasets (CIC IDS-2017 [25] and UNSW-NB15 [26]) to evaluate the effectiveness of SEDAT. The experimental results on different baseline methods and benchmark datasets demonstrate that the proposed detection model, named SEDAT, achieves superior classification accuracy and outperforms baseline methods. In summary, this paper makes the following contributions:

• We construct a novel multiscale network intrusion behavior dataset based on real-world network environments to address the lack of multiscale attack data, including three scales of attacks: light, medium, and heavy. We validate the effectiveness of multiscale attacks through experiments.
• We design two multiscale attack patterns based on continuous-type probability distributions in order to simulate the multiscale attack behaviors that can easily bleed into benign traffic (i.e., normal distribution and exponential distribution). We validate the effectiveness of SEDAT under these attack patterns through experiments.
• We propose a stacked ensemble learning-based detection model for anomalous traffic named SEDAT to defend against highly concealed multiscale network attacks.
• We analyze the effectiveness bounds of SEDAT based on the experimental results and explore the similarities between concealed attack traffic and benign traffic in real-world network environments.

The rest of this paper is organized as follows. Section 2 provides some related works, which include intrusion detection datasets and detection methods for anomalous traffic. Section 3 presents the constructed dataset and validates the effectiveness of multiscale attacks. Section 4 presents the proposed detection model for anomalous traffic. Section 5 presents the experimental results of the proposed SEDAT model, and a comparison between the proposed SEDAT model and other baseline methods is also shown in this section. Section 6 provides the conclusions of our work.

2. Related Work

Cyberattacks continue to pose significant concerns in the global scope, remaining a critical area of research. Current research on detecting anomalous network traffic typically focuses on two main directions. Some researchers focus on developing intrusion detection datasets based on real-world network environments. On the other hand, some researchers focus on extracting features from network traffic using various algorithms and models. These studies commonly validate effectiveness by using benchmark datasets and comparing them with baseline methods. Therefore, this paper introduces related research from both directions: intrusion detection datasets and detection methods for anomalous traffic.

2.1. Intrusion Detection Dataset

Various open-source datasets are crucial for identifying features related to intrusion. The dataset discussed in this paper includes commonly cited datasets from IDS papers. For instance, the KDD Cup’ 99 dataset [27] was compiled by capturing approximately nine weeks of raw TCP Dump data on a local area network (LAN). The attacks in this dataset are broadly categorized into four main types: denial of service (DoS), root to local (R2L), user to root (U2R), and probing (such as port scanning). The NSL-KDD dataset [28] was derived from the KDD Cup’ 99 dataset, with the aim of addressing the issue of redundant records. However, the duplicate instances cause the bias of the training set towards normal instances in machine learning (ML) methods. The UNSW-NB15 dataset [26], created by the Australian Center for Cybersecurity (ACCS), was generated using the IXIA Traffic Generator. It contains summary information, network connectivity characteristics, and traffic statistics. The CIC IDS-2017 dataset [25], produced by the Canadian Institute for Cybersecurity, contains the latest cyberattacks and adheres to real-world attack standards. It is widely used as a benchmark dataset. The data were collected over five days, and the dataset captures a range of cyberattacks: benign activity on Monday, brute force attacks on Tuesday, DoS attacks on Wednesday, multiple cyberattacks on Thursday, and botnets, port scans, and a DDoS LOIT on Friday afternoon. The CSE-CIC-IDS 2018 dataset [29] enhances the reliability and diversity of traffic to overcome the limitation of previous datasets. The dataset includes benign traffic and seven common attacks that represent real-world scenarios. LITNET-2020 [30] is an annotated benchmark dataset derived from real-world networks, incorporating 85 network flow features and covering 12 types of attacks. The USB-IDS-1 dataset [31] is designed for DoS attacks, considering the performance, configurations, and defense modules of the victim server. It provides insights into attack methods and validates their effectiveness. Od-ids2022 [32] is a comprehensive and empirical IDS dataset with the latest attacks. The dataset contains benign traffic and 28 common attacks and satisfies 11 desirable characteristics. To address the lack of diversity, the TII-SSRC-23 dataset [33] contains a variety of traffic types and subtypes. The dataset performs a functional importance analysis that provides important insights into the key functions of the intrusion detection task. The CICEV2023 DDoS dataset [34] focuses on DDoS attacks targeting electric vehicle (EV) charging infrastructure, implementing four attack patterns and a variety of attack distributions. SDNFlow [35], based on SDN-OpenFlow technology, is a new dataset for detecting intrusions in SDNs and covers a wide range of network activities. Cordero et al. [36] developed the ID2T toolkit to create labeled datasets, which incorporate synthetic attacks into background flows and support extended attack types. Ferriyan et al. [37] proposed a dataset of encrypted network flows in real-world environments, which includes encrypted traffic, packet payloads, and background traffic. Kumar et al. [38] proposed a Wasserstein conditional generative adversarial network (WGAN) combined with XGBoost classifiers, demonstrating effective handling of highly imbalanced data samples by aligning the loss patterns of generated and real data.

In common benchmark datasets, each dataset is collected in a different experimental setting and contains a wide variety of attacks. However, attack patterns that aim to consume resources and occupy bandwidth are typically used during dataset collection without detailing the scale of the attack and the level of threat to the server. In the research on synthetic traffic, many researchers propose solutions to address the limitations of different open-source datasets. However, none of these solutions address the lack of multiscale attack patterns. Therefore, in this paper, we construct a novel intrusion behavior dataset for multiscale network attacks. The dataset elaborates various multiscale attack patterns and the attack pressure on the server under different attack scales.

2.2. Detection Methods for Anomalous Traffic

Most IDSs focus on using artificial intelligence (AI) techniques to classify anomalous network traffic and identify network intrusions, such as DL and ML [39]. Jabez et al. [40] proposed a method for intrusion detection called outlier detection. Ianni et al. [41] proposed a novel method to identify security threats in activity logs. The method utilizes an outlier detection algorithm based on coded activities for detecting malicious behavior. Dong [42] proposed the cost-sensitive SVM (CMSVM) to tackle network traffic imbalance. CMSVM is a multiclass SVM algorithm that incorporates active learning for dynamically assigning weights to different classes. Hu et al. [43] introduced a model for categorizing encrypted network traffic, which leverages attention mechanisms and spatio-temporal features. This model effectively classifies both encrypted and non-encrypted application traffic, notably improving accuracy by capturing temporal correlations with an initial long short-term memory (LSTM) model and extracting spatial features using a CNN model. Xiao et al. [44] developed an extended byte segment neural network (EBSNN), which is capable of classifying network traffic based on the initial data packets. Diallo et al. [45] proposed an adaptive clustering method for intrusion detection (Acid), which is deployed at the network edge. This lightweight neural model employs multiple kernel networks trained with low-dimensional embedding to handle subtle changes in traffic features. Faker et al. [22] utilized a DNN with three hidden layers and ensemble techniques (RF and gradient boosted tree (GBT)) to achieve an accuracy of 99.19% in binary classification. Kaja et al. [46] proposed a two-stage intelligent IDS, using K-means in the first stage to detect attacks and supervised learning in the second stage to classify anomalous traffic. This model eliminates false positives and achieves a 99.97% accuracy in detecting attacks. Shone et al. [20] proposed a classification model that utilizes stacked neural network denoising AEs (NDAEs) and RF classification algorithms. The model achieves a classification accuracy of 85.42% and reduces training time by 98.81%, resulting in outstanding detection efficiency. Rosay et al. [21] proposed an MLP neural network IDS (MLP4NIDS), which achieves a detection accuracy of over 99% with a false-positive rate of less than 0.7%. Hsu et al. [47] proposed a stacked ensemble learning intrusion detection algorithm that integrates AE, SVM, and RF models. The model achieves an accuracy of 91.8% on the UNSW-NB15 dataset. Vaca et al. [48] proposed an ensemble learning model using four integration algorithms, with RF as the ultimate model. Xu et al. [49] proposed an innovative IDS that consists of recurrent neural networks (RNNs) with gated recurrent units (GRUs), MLPs, and softmax modules. This system demonstrates an exceptional performance in detecting DoS attacks, achieving a detection accuracy of 99.98%. These studies demonstrate significant improvements in IDS by utilizing advanced AI techniques to enhance accuracy and effectively reduce false alarms.

In related research on anomalous traffic detection, most researchers choose specific DL models to enhance detection rates and validate effectiveness using publicly available benchmark datasets. After that, some researchers propose detection algorithms that focus on specific attack scales, such as low-rate DoS (LDoS) attacks [50,51]. However, in real-world scenarios characterized by flexible and varied attack forms, IDSs that focus solely on a single attack scale usually fail to achieve satisfactory detection results. Furthermore, DL-based intrusion detection models are hindered by the scale of the dataset, which leads to prolonged training times and inefficient training processes. Therefore, in this paper, we propose a stacked ensemble learning-based detection model called SEDAT for anomalous traffic. SEDAT concurrently reduces training time and enhances efficiency by integrating an RF-based feature selection method with a stacked ensemble learning detection model. In addition, SEDAT ensures excellent detection of anomalies by using datasets collected from real-world network environments.

3. The Construction of a Novel Multiscale Network Intrusion Behavior Dataset

Network intrusion detection is an effective technique for securing modern computer networks and protecting target systems and networks against malicious activities. Real-time updated network flow datasets are currently the main focus of research in the field of network security. Despite the efforts of some researchers, there still exists a shortage of network datasets that cover multiscale attack patterns. To address this issue, we construct a novel multiscale network intrusion behavior dataset. The dataset is collected by capturing bidirectional HTTP network flow data between the victim network and either the attack node or the normal node. In this paper, we select three representative attack tools (Hulk [52], TCP Flood [53], Slowloris [54]) that are capable of adjusting the scale of the attack to launch network attacks. These attacks are widely used in datasets such as CIC IDS-2017 [25], CSE-CIC-IDS 2018 [29], USB-IDS-1 [31], and SDNFlow [35]. Here is the outline of the experimental environment and the process for collecting data.

3.1. Experimental Test Environment

The data collection is conducted within a LAN infrastructure, and the experimental test environment is illustrated in Figure 1. The experimental equipment includes three Ubuntu 20.04 nodes and one Windows 10 node, each equipped with an Intel(R) Core(TM) i5-10400 CPU and 16 GB of RAM. The experimental environment is divided into two networks: the user-side network, which sends requests and includes an attack node, a normal node, and a client node, and the victim network, responsible for accepting requests from the user-side network, capturing network traffic, performing feature transformation, and probing server performance.

The victim network is a web server configured with the Golang GIN [55] framework, which is a high-performance, highly concurrent, lightweight web development framework. The framework is widely utilized in web applications. Additionally, the server runs the TCP Dump [56] program to capture traffic between the victim network and either an attack node or a normal node, saving the resulting traffic as pcap files. The information of network traffic in the pcap files is transformed into a dataset consisting of 16 CSV files using the CICFlowMeter [57] traffic extraction tool. The performance probing tool records the network input/output (I/O) and memory usage of the web service during attacks of varying scales. Furthermore, the server is configured with a firewall to simulate real-world conditions on the victim network.

The user-side network is used to send network requests and includes an attack node that generates malicious network traffic, a normal node that generates benign network traffic, and a client node that monitors the victim network at a fixed request frequency (L = 300 requests per second (reqs/s)). The attack node’s attack process is carried out using three popular attack tools: Hulk [52], TCP Flood [53], and Slowloris [54]. In the multiscale attack process, each attack tool launches attacks with three different scales: light, medium, and heavy. The light-scale attack is set at the smallest scale executable by the attack tools; the medium-scale attack is set at the average of the light- and heavy-scale attacks; and the heavy-scale attack is set at the maximum service throughput (100 megabits per second (Mbps)). In probability distribution multiscale attack patterns, various attack tools simulate Internet flow tendencies and launch attacks using two probability distribution (normal distribution and exponential distribution) trend strategies. The normal node uses the curl-loader tool [58] to simulate the interaction of general users with the server. The tool simulates thousands of clients and generates access traffic for general clients, each with its own unique source IP address. The network access testing tool, operated by the client node, simulates the access behavior of clients and sends requests to the victim network at a fixed request rate of L = 300 reqs/s. The number of network requests that the victim network can respond to is recorded without affecting the performance of the server. The number of network requests is used to evaluate the threat level of the victim server, both in the absence of network attacks and under different scale attacks. The experimental steps are as follows:

• Initiate the web service, start TCP Dump to capture network packets, and activate the performance probing tool to monitor the network I/O and memory usage of the web service.
• The client node runs the network access testing tool and sends network requests to the server at a fixed rate of L = 300 reqs/s. The tool records the number of requests that the server can respond to (not captured as a dataset) under different scale attacks.
• The attack node generates malicious multiscale network attack traffic using tools such as Hulk, TCP Flood, and Slowloris.
• The normal node emulates 5000 clients and generates benign network traffic for the dataset.
• The performance probing tool collects web service network I/O and memory metrics. The network access tool collects the client node’s request rate. TCP Dump stores the collected benign and malicious traffic in pcap files. CICFlowMeter is responsible for traffic feature transformation.

3.2. Generation of Multiscale Attack Traffic

During the process of the multiscale network attack, we choose three representative attack tools. The following subsection outlines the attack process and provides details about the scale of the attack. Figure 2 illustrates the efficient validation of the multiscale attack.

The Hulk attack tool [52] exploits HTTP’s characteristic that each request must be processed by the target server. This tool overwhelms the server’s bandwidth by sending numerous network requests, impairing its ability to respond to legitimate users’ requests. The Hulk tool launches the attack process through the startup parameter ‘-site’, which specifies the target website. Additionally, the parameter ‘-HULKMAXPROCS’ controls the attack scale by setting the number of goroutines. The web service’s network I/O upload throughput and client node’s request rate are effective indicators for evaluating the scale of the Hulk attack, as depicted in Figure 2a,b. During the light-scale Hulk attack, the web service’s I/O upload throughput is approximately 20 Mbps, and the client node’s request rate ranges from 225 reqs/s to 250 reqs/s. As the attack scale increases, the web service’s I/O upload throughput increases while the client node’s request rate decreases. In the heavy-scale Hulk attack, the web service’s I/O upload throughput reaches approximately 100 Mbps, representing the upper limit of system performance. Meanwhile, the client node’s request rate remains between 150 reqs/s and 175 reqs/s.

The TCP Flood tool [53] initiates numerous TCP SYN requests to the server but terminates the connection prematurely before completing the TCP three-way handshake process. This attack causes the server to wait for a timeout and maintain an incomplete connection state, thereby consuming server resources. The TCP Flood tool sets up the parameter ‘-threads’ to control the number of threads. The download throughput of the web service and the request rate of the client node are crucial metrics for evaluating the attack’s effectiveness, as illustrated in Figure 2c,d. During the light TCP Flood attack, the web service’s I/O download throughput is approximately 50 Mbps, and the client node’s request rate is about 200 reqs/s. In the medium TCP Flood attack, the web service’s I/O download throughput ranges between 60 Mbps and 80 Mbps, while the client node’s request rate drops to approximately 100 reqs/s. Finally, in the heavy TCP Flood attack, the web service’s I/O download throughput reaches the system’s upper performance limit, while the client node’s request rate decreases to around 10 reqs/s.

The Slowloris tool [54] exploits a characteristic of HTTP connection where each request requires the server to maintain a connection and wait for the client to complete the request. Attackers send numerous incomplete requests to the target server, which are gradually completed at a slow speed. The gradual consumption of server resources eventually leads to the service becoming unavailable. The Slowloris tool adjusts the attack scale by using startup parameters such as ‘-u’ for the target server URL, ‘-GET’ for the HTTP request type, ‘-p’ for the expiration time of the slow HTTP request, and ‘-c’ for the number of network connections for the slow HTTP request. Additionally, the I/O upload and download throughputs of the web service are effective indicators for evaluating the scale of the Slowloris attack, as illustrated in Figure 2e,f. In the light Slowloris attack, the web service maintains I/O throughput of 20 Mbps. In the medium Slowloris attack, these rates range from 40 Mbps to 60 Mbps. In the heavy-scale Slowloris attack, the web service reaches its upper limit in terms of I/O upload and download throughputs.

3.3. Generation of Multiscale Attack Traffic Consistent with Probability Distribution

Attacks during traditional data collection are typically limited to a single attack pattern, which presents certain limitations. However, in real-world scenarios, general server network traffic tends to exhibit various probability distribution characteristics over time. In addition to uniform distribution [59], the data flow may also follow normal distribution [60,61] and exponential distribution [62,63]. This allows attacks to expand not only horizontally by extending the attack duration but also vertically by adjusting the scale of the attack, blending malicious traffic with benign traffic like a shadow, thereby increasing the difficulty of detection. Therefore, in this subsection, we combine multiscale attacks with probability distributions to launch more effective attacks. In each of these attack patterns, the scale of the attacks varies based on different probability distributions within one attack period (t = 330 s). The following two attack patterns are provided:

The normal distribution is a common continuous-type probability distribution. When a random variable follows a normal distribution, its graph forms a bell-shaped curve that is symmetric around the mean. The distributions of different attacks shown in Figure 3a–c. The attacker sets up the parameters of these attacks so that the attack scale increases during the first half of the attack cycle, reaches its peak at the midpoint, and gradually decreases in the second half, ensuring symmetry throughout the attack process. As a result, the probability density function (PDF) of the attack network traffic conforms to the normal distribution as described in Equation (1),

$$PDF=F\left(x\right)={\displaystyle \frac{1}{\sigma \sqrt{2\pi }}}{e}^{-{\displaystyle \frac{1}{2}}\left({\displaystyle \frac{x-{\mu }^2}{{\sigma }^2}}\right)}$$

(1)

where $\sigma$ denotes the mean of the distribution and $\mu$ denotes the mathematical expectation.

The exponential distribution is a continuous-type probability distribution where the probability peaks at $\mathit{x}$ = 0 and decreases as $\mathit{x}$ increases. The distributions for each type of attack are shown in Figure 3d–f. The attacker sets up the attack scale to reach its maximum at $\mathit{t}$ = 0 s and gradually decrease as $\mathit{t}$ increases, reaching its minimum at the end of the period. As a result, the PDF of the attack network traffic conforms to the exponential distribution as described in Equation (2),

$$PDF=F\left(x\right)=\lambda e^{-\lambda x}$$

(2)

where $\lambda$ denotes the parameter of the distribution, often called the rate parameter.

The effectiveness verification of multiscale attack patterns based on probability distribution is demonstrated in Figure 4. When the attack scale follows a probability distribution over time, its effective indicators are either proportional or inversely proportional to the probability distribution. As illustrated in Figure 4a,d,g–i, the attack scale increases or decreases over time, and the upload throughput, download throughput, and memory usage of the web service correspondingly increase or decrease. Conversely, as illustrated in Figure 4b,c,e,f, an increase in the scale of the attack over time results in a reduction in the number of available connections and a corresponding decrease in the request rate of the client node. Consequently, there is an inverse relationship between the request rate of the client node and its corresponding probability distribution. During the multiscale Hulk attack based on probability distribution, the I/O upload throughput of the web service is proportional to the probability distribution, while the client node request rate is inversely proportional to the probability distribution, as illustrated in Figure 4a–c. Similarly, during the multiscale TCP Flood attack based on probability distribution, the I/O download throughput of the web service is proportional to the probability distribution, while the client node request rate is inversely proportional to the probability distribution, as illustrated in Figure 4d–f. Finally, during the multiscale Slowloris attack based on probability distribution, both the web service memory usage and I/O download throughput are proportional to the probability distribution, as illustrated in Figure 4g–i.

3.4. Statistical Information on Dataset

The dataset constructed in this paper includes 16 CSV files. The dataset provides information on three attack scales (light, medium, and heavy), two multiscale attack patterns based on probability distributions (normal distribution and exponential distribution), and benign network traffic. Each file corresponds to specific combinations of an attack tool, attack scale, or attack pattern based on probability distributions. For example, the file named “Hulk_normal_distribution” represents network traffic generated by the Hulk attack following a normal distribution attack pattern. The statistical details of the dataset are as described in

Table 1. Statistical information on multiscale network intrusion behavior dataset.

Name of the CSV File	Total	Attack	Benign
Hulk_light	400,130	324,595	75,535
Hulk_medium	416,092	338,360	77,732
Hulk_heavy	440,635	369,387	71,248
TCP_Flood_light	2761	2620	141
TCP_Flood_medium	2791	2669	122
TCP_Flood_heavy	2659	2608	51
Slowloris_light	399,375	395,248	4127
Slowloris_medium	476,743	429,339	47,404
Slowloris_heavy	420,697	419,671	1026
Hulk_normal_distribution	765,860	693,861	71,999
TCP_Flood_normal_distribution	7114	6984	130
Slowloris_normal_distribution	74,425	71,938	2487
Hulk_exponential_distribution	436,628	395,292	41,336
TCP_Flood_exponential_distribution	4909	4767	142
Slowloris_exponential_distribution	57,830	55,576	2254
Normal_traffic	297,905	0	297,905

. “Attack” denotes the number of attack traffic instances generated by the attack node, and “Benign” denotes the amount of benign and background traffic instances generated by the normal node. All dataset example files can be freely downloaded from https://github.com/xiaofengbbb/Multi-Scale-Network-IntrusionBehavior-Dataset.git (accessed on 22 July 2024) in the GitHub repository.

4. Stacked Ensemble Learning-Based Detection Model for Anomalous Traffic

This section outlines the design and implementation specifics of the stacked ensemble learning-based detection model for anomalous traffic to defend against multiscale network attacks. An illustrative example of SEDAT is shown in Figure 5. First, the general architecture of SEDAT is introduced. Then, a detailed discussion of its three key modules, data preprocessing, feature selection, and anomaly detection, is provided. The main goal of SEDAT is to efficiently identify anomalous traffic to defend against multiscale attacks.

4.1. Data Preprocessing

In this subsection, we adhere to the convention of labeling network traffic in the dataset as attack samples and benign samples. For example, traffic instances transmitted from the attack node to the victim network are designated as attack samples, while traffic instances transmitted from the normal node to the victim network are categorized as benign samples. Based on prior knowledge of the concealed characteristics of the attack features, we filter out irrelevant features and eliminate features correlated with the attack host (e.g., flow ID, source IP, destination IP, source port, destination port, timestamp, protocol type). Additionally, we assign the value of 0 to attack samples and the value of 1 to benign samples in order to represent them as numerical features. To address noise in the network traffic, we use the Z-$score$ normalization method in this subsection, as described in Equation (3). This method standardizes the data by setting their mean to 0 and their standard deviation to 1, thereby centering and standardizing the data. The Z-$score$ normalization method helps in effectively capturing the distribution and structure of the traffic data for base learning AEs.

$$x^{\prime }={\displaystyle \frac{x-\mu }{\sigma }}$$

(3)

where $\mu$ denotes the sample mean and $\sigma$ denotes the sample standard deviation.

4.2. Feature Selection

DL-based intrusion detection models often face challenges such as dependency on dataset size, extended training periods, and low training efficiency. To address these issues, in this subsection, we employ the RF model for feature selection on the refined dataset after data preprocessing. The RF method samples subsets from the original dataset to construct subdatasets for training individual decision trees. Each decision tree produces an outcome, and the final decision is determined by aggregating the votes from all trees in the forest. RF identifies the optimal features by randomly selecting subsets of features. This method is crucial for improving the performance of the intrusion detection model computational efficiency. The proposed feature selection algorithm is based on three datasets—$D_m$ = ($x_m$,$y_m$); $m=\{light,medium,heavy\}$—where $x_m$ denotes the feature vectors for different scales of attacks and $y_m$ denotes the feature labels. Since each feature contributes differently to the attack behaviors, we rank the importance of features and select the top 18 features (i.e., Flow Duration, Total Fwd Packet, Fwd IAT Total, Fwd IAT Std, Bwd URG Flags, Bwd Packets/s, Packet Length Min, Packet Length Std, SYN Flag Count, RST Flag Count, PSH Flag Count, CWR Flag Count, ECE Flag Count, Fwd Segment Size Avg, Bwd Bulk Rate Avg, Subflow Bwd Packets, Subflow Bwd Bytes, FWD Init Win Bytes) as inputs for the next stage. The feature selection method based on RF is summarized in Algorithm 1.

Algorithm 1 The feature selection algorithm based on RF.

Require: $D_m$=($x_m$,$y_m$); $m=\{light,medium,heavy\}$; Ensure: Feature subset after feature selection: $Lis{t}_{final}$;   1: i←1;   2: for  $D_i\in D_m$ do   3:      model=RandomForestClassifier($D_i$);   4:      $Lis{t}_i$=model.feature_importances;   5:      $i\leftarrow i$+1;   6: end for   7: $Lis{t}_{light}\leftarrow Lis{t}_1$;   8: $Lis{t}_{medium}\leftarrow Lis{t}_2$;   9: $Lis{t}_{heavy}\leftarrow Lis{t}_3$; 10: $D_{sort}$= feature_sort($Lis{t}_{light}\cup Lis{t}_{medium}\cup Lis{t}_{heavy}$) 11: $Lis{t}_{final}$ =$D_{sort}$[0:18] 12: return $Lis{t}_{final}$;

4.3. Anomaly Detection

To meet the requirements of this paper on detecting multiscale network attacks, we analyze various DL models suitable for intrusion detection. The main considerations include the following: (1) The selected model should be capable of detecting anomalies under different scale attacks. (2) The selected model should be able to effectively capture complex relationships within the data. (3) The selected model should be adaptable to handle the varying and unknown scale of real-world network attacks. (4) The selected model should have a rapid training speed, high detection efficiency, and widespread applicability in real-world scenarios. Therefore, we use multiple autoencoders (AEs) as the base models to extract distinctive features from attacks of different scales. Then, we use a stacked ensemble learning model as the meta-model to combine the reconstructed data from base learning AEs, thus improving both the detection efficiency and the robustness.

4.3.1. Base Learning Autoencoders

The AE is an algorithm that can understand the core definition of data. The algorithm learns the information representation of the data and reconstructs the output. The main components of an AE are the encoder and decoder units, which form a neural network. In the network, the encoder takes the input data and compresses them at each step to create a latent space, while the decoder uses this latent space to reconstruct the data. In the base models, three AEs are utilized to learn the underlying features of light-, medium-, and heavy-scale attack behaviors in order to make the detection model suitable for different scales of attacks. The base learning AEs can effectively capture the intricate relationships within the traffic data, reconstruct the input data, and extract abundant features as the basis for classification. The base learning AEs utilize three training datasets after feature selection $D_m$ = ($x_m$,$y_m$ ); $m=\{light,medium,heavy\}$, where $x_m$ denotes the feature vectors of different attack scales and $y_m$ denotes the feature labels. The encoding process of the base models is illustrated in Equation (4),

$$h_m=\sigma (W·x_m+b)$$

(4)

where W and b are the weight and bias of the encoder and $\sigma$ is the $ReLU$ activation function used by the encoder. The decoding process of base models is illustrated in Equation (5),

$$x_m^{\prime }=\sigma \left(W^{\prime }.h_m+b^{\prime }\right)$$

(5)

where $W^{\prime }$ and $b^{\prime }$ are the weight and bias of the decoder and $\sigma$ is the $ReLU$ activation function used by the decoder. Therefore, the feature extraction process of the base models $f_m$ (); $m=\{light,medium,heavy\}$ can be illustrated in Equation (6),

$$x_m^{\prime }=f_m\left(x_m\right)$$

(6)

At the same time, we apply $L2$ regularization to prevent the base models from relying on specific features. This method reduces the impact of strong features and strengthens weaker ones. $L2$ regularization decreases the weights of hidden units, encouraging the optimization process to prioritize features with smaller but more significant weight values. The regularization simplifies the network structure and enhances the model’s classification ability. The regularization can be illustrated in Equation (7),

$$Los{s}_{L2}=Loss+\lambda {\Sigma }_i^n{w}_i^2$$

(7)

where $Loss$ denotes the original loss function, $\lambda$ is the regularization parameter, and $w_i$ is the i-th parameter of the model.

4.3.2. Stacked Ensemble Learning

To effectively handle flexible and unknown scale network attacks in real scenarios and capture deep relationships among these features, we combine the reconstruction outputs of multiple base learning AEs to construct a meta-model that produces final classification results. The meta-model proposed in this paper includes a feature-stacking layer, a fully connected layer, and a sigmoid layer. The feature-stacking layer consolidates features from different base learning AEs in order to create a comprehensive feature representation, thereby enhancing the expressiveness and generalization of the model. The fully connected layer integrates information, processes non-linear data, and further enhances network expressiveness. The sigmoid layer acts as the output layer by providing probabilities for each category. Stacked ensemble learning leverages the strengths of each base model, enhancing classification accuracy and robustness by reducing noise. Even if one base model makes incorrect predictions, the overall prediction of the ensemble learning model is corrected by the others, thus enhancing the robustness of the model. In the classification process, we integrate the reconstructed data from the outputs of different base learning AEs. For each base model, its decoder output is denoted as $x_m^{\prime }$; $m=\{light,medium,heavy\}$. After stacking features, the outputs obtained from base models are fused to form an $m\ast n$ matrix z. The meta-model feature-stacking process can be illustrated in Equation (8),

$$z=Feature\_Stack[x_1^{\prime },x_2^{\prime },\dots \dots ,x_m^{\prime }]$$

(8)

where n is the dimension of $x^{\prime }$. The merged meta-feature matrix z is used to train the $meta\_model\left(\right)$ in order to obtain the final classification result. The prediction of the meta-model can be illustrated in Equation (9),

$$y_{final}=meta\_model\left(z\right)$$

(9)

Therefore, the final prediction result of stacked ensemble learning can be illustrated in Equation (10). The stacked ensemble learning detection model for anomalous traffic to defend against multiscale network attacks is summarized in Algorithm 2.

$$y_{final}=meta\_model\left([f_1\left(x_1\right),f_2\left(x_2\right),\dots \dots ,f_m\left(x_m\right)]\right);m=\{light,medium,heavy\}$$

(10)

Algorithm 2 The algorithm of stacked ensemble learning-based detection model for anomalous traffic to defend against multiscale network attacks.

Require: Dataset: $D_m$=($x_m$,$y_m$); base learning AE model:$f_m$();m=$\{light,medium,heavy\}$; meta-model: $meta\_model\left(\right)$; Ensure: Classification results:$y_{final}$;   1: i←1;   2: for  $D_i\in D_m$  do   3:      $x_i^{\prime }\leftarrow f_i\left(D_i\right)$;   4:      $i\leftarrow i+1$;   5: end for   6: $z\leftarrow Feature\_Stack[x_1^{\prime },x_2^{\prime }\dots \dots x_m^{\prime }$];   7: $y_{final}\leftarrow meta\_model\left(z\right)$;   8: return $y_{final}$;

5. Simulation Experiment

In this section, we set up several sets of comparison experiments to evaluate the SEDAT. The detection of network traffic anomalies can be seen as a classification task. We compare SEDAT with several intrusion detection models and conduct three experimental tests to verify the effectiveness of SEDAT. Additionally, we compare the results on the dataset proposed in this paper and common benchmark datasets (CIC IDS-2017 [25] and UNSW-NB15 [26]) to validate the advantages of SEDAT over traditional baseline methods. The following questions are addressed through experimental validation:

• Q1: Does the proposed SEDAT model in this paper demonstrate excellent detection performance for subtle network attacks?
• Q2: Does SEDAT demonstrate excellent detection performance against attacks of varying scales?
• Q3: In what condition would SEDAT offer little or no help? Why does it work and when does it fail?
• Q4: How do the relative parameters of SEDAT impact the detection performance?
• Q5: Are there similarities between the network traffic of attacks at different scales and benign network traffic?

5.1. Experimental Setup

In the experimental setup subsection, datasets and comparison methods are selected to be similar to the designed detection model. By analyzing the differences in experimental results, we evaluate the effectiveness and advantages of SEDAT in detecting multiscale network attacks.

5.1.1. Experimental Datasets and Comparison Methods

This paper constructs a novel multiscale network intrusion behavior dataset in a LAN environment to highlight the model detection capability in defending against multiscale network attacks. The experimental dataset includes the newly created multiscale network intrusion behavior dataset as well as the network traffic benchmark datasets CIC IDS-2017 [25] and UNSW-NB15 [26]. This paper uses the leave-out method to divide the dataset, allocating 70% for training the base learning AEs and meta-model and reserving 30% for testing purposes. Our control group includes DL methods and classical ML methods related to AE or ensemble learning:

• RAIDS [19]: This model generates multiple feature sets and trains a baseline ML classifier. It utilizes LightGBM as the classifier, which is trained using outputs from two AEs and a set of baseline ML classifiers.
• NDAES [20]: This model utilizes two stacked NDAEs. NDAE1 includes one input layer and three hidden layers, while NDAE2 has three hidden layers. The learned feature representations are utilized to train RF classifiers for network traffic categorization.
• MLP [21]: This model is based on an MLP with a network structure that includes one input layer, two hidden layers, and one output layer.
• DNN [22]: This model includes an input layer followed by three hidden layers with 128, 64, and 32 nodes, respectively, and an output layer.
• RF [24]: This model performs classification by constructing multiple decision trees and aggregating predictions from them.
• SVM [25]: This model classifies samples by finding an optimal hyperplane in the feature space.

5.1.2. Evaluation Indicators

In this paper, $TP$, $FN$, $FP$, and $TN$ represent the number of four results, respectively: true positive ($TP$): correctly classifies the attack sample as an attack sample; false negative ($FN$): incorrectly classifies the attack sample as a benign sample; false positive ($FP$): incorrectly classifies the benign sample as an attack sample; and true negative ($TN$): correctly classifies the benign sample as a benign sample. Given the aforementioned definitions, the definitions of accuracy, precision, and recall can be described as follows:

$$Accuracy={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}$$

(11)

$$Precision={\displaystyle \frac{TP}{TP+FP}}$$

(12)

$$Recall={\displaystyle \frac{TP}{TP+FN}}$$

(13)

5.2. Detection Results

A comparative analysis is conducted between SEDAT and the baseline methods on four datasets: the multiscale network intrusion behavior dataset, the probability distribution-based multiscale network intrusion behavior dataset, the CIC IDS-2017 [25] dataset, and the UNSW-NB15 [26] dataset. The results of the experiments are analyzed to address the questions posed in Q1-Q5.

5.2.1. Detection Results on Multiscale Network Intrusion Behavior Dataset

The aim of this experiment is to compare the proposed SEDAT with the baseline methods using the multiscale (light, medium, heavy, and mixed) network intrusion behavior dataset. Firstly, we present the results of comparing the detection capabilities of SEDAT on different scale attacks, which are shown in Figure 6. Subsequently, we contrast the detection outcomes of SEDAT with baseline methods on the multiscale network intrusion behavior dataset, which are shown in Figure 7.

Table 2. Comparison of accuracy among different models in multiscale network intrusion behavior dataset.

Attack Scale	SEDAT	RAIDS	NDAES	MLP	DNN	RF	SVM
Light scale	$\mathbf{99.9}\%$	97.9%	98.7%	97.3%	96.4%	95.7%	96.2%
Medium scale	$\mathbf{98.2}\%$	95.4%	96.1%	95.7%	95.5%	95.3%	95.5%
Heavy scale	$\mathbf{99.5}\%$	96.8%	97.2%	96.7%	96.4%	92.4%	94.1%
Mixed scale	$\mathbf{98.9}\%$	94.9%	97.5%	96.5%	95.9%	96.1%	92.6%

presents detailed metrics of the detection accuracy of different scales in various models.

Figure 6 illustrates the effectiveness of the proposed SEDAT model in detecting various scale attacks (light, medium, heavy, and mixed). SEDAT demonstrates an accuracy of 99.9% and a recall of 99.8% for binary classification of light-scale attacks. The result indicates that the proposed model is capable of identifying light-scale attacks and producing excellent detection results. The SEDAT shows higher precision but lower recall in the detection of medium network attacks, indicating that some attack samples are misclassified as benign samples. It is hypothesized that medium-scale network attacks are the most concealed. The model’s performance improves when detecting heavy-scale cyberattacks, resulting in higher recall and lower precision than the detection in medium cyberattacks. In the mixed-scale intrusion detection dataset, which contains a mix of light, medium, and heavy attacks, SEDAT achieves an accuracy of 98.9% and a precision of 99.0% in binary classification. The accuracy is higher than the detection in medium-scale cyberattacks. Therefore, the upcoming experimental process concentrates on the issue of medium-scale cyberattacks.

The specific accuracy values of different methods are illustrated in Table 2. It is clear that SEDAT performs better than both DL methods and classical ML methods related to AE or ensemble learning. The comparison results of SEDAT with baseline methods against multiscale network attacks are shown in Figure 7. In the experiment, all models demonstrate high precision and low recall for detecting medium-scale network attacks, suggesting that these models misclassified some benign samples as attack samples. The situation analysis mentioned that SEDAT has a higher detection rate compared to baseline methods. However, it tends to misclassify medium attack samples as benign samples. Furthermore, the behavior of medium-scale network attacks is similar to general access behaviors, which results in attack traffic being easily hidden within benign traffic, making it more difficult to detect. This issue poses a challenge to the bounds of SEDAT.

5.2.2. Detection Results on Multiscale Network Intrusion Behavior Dataset Based on Probability Distributions

In real scenarios, the network bandwidth of a server often exhibits various probability distribution characteristics over time. Attackers can conceal their activities within benign traffic by adjusting the attack scales, thereby increasing detection difficulty. As a result, two multiscale attack patterns are generated that conform to continuous-type probability distributions. These attacks adjust startup parameters so that attack scales change over time. To verify the effectiveness of SEDAT in facing unknown-scale network attacks in real scenarios, we conduct comparison experiments between SEDAT and the baseline methods under two attack patterns.

Figure 8 presents a comparison of the experimental results in the probability distribution attack patterns. The Hulk attack demonstrates the highest recall among the different attack patterns, exceeding 99.8% accuracy in both attack patterns. This attack consumes resources, and its anomalous behavior deviates from general network access behavior. The model effectively identifies and captures these distinctive features. The proposed SEDAT model can distinguish TCP Flood attack traffic from benign traffic across all multiscale attack patterns based on probability distributions. The result exhibits a commendable level of accuracy in detecting TCP Flood attacks. However, among the three attacks, the Slowloris attack exhibits the longest latency period. Furthermore, it is the most similar to general access behavior, making it more challenging to detect and resulting in a lower detection rate. The experimental results demonstrate that SEDAT exhibits robust performance in detecting multiscale attacks and demonstrates a high degree of effectiveness in detecting attacks based on probability distributions.

In parallel, the multiscale attack datasets are used for training both the proposed SEDAT and the baseline methods. Two probability distribution-based multiscale attack datasets are utilized as the test datasets. As depicted in

Table 3. Comparison of the accuracy among different models in multiscale network intrusion behavior dataset based on probability distributions.

Attack Scale	SEDAT	RAIDS	NDAES	MLP	DNN	RF	SVM
Normal distribution	$\mathbf{99.3}\%$	92.5%	64.1%	80.0%	60.3%	71.8%	67.0%
Exponential distribution	$\mathbf{96.0}\%$	91.0%	68.8%	58.4%	55.6%	67.7%	59.9%

and Figure 9, the accuracy of SEDAT consistently exceeds 96%, and the recall consistently surpasses 99.2%. The baseline methods, in contrast, provide a unified data representation of the attack. Furthermore, their detection effectiveness is slightly lower than that of SEDAT in these attack patterns. Therefore, SEDAT effectively captures multiscale relevant information and can adapt to unknown-scale network attacks in real scenarios.

5.2.3. Detection Results of UNSW-NB15 and CIC IDS-2017 Datasets

Thirdly, SEDAT is applied to the CIC IDS-2017 [25] and UNSW-NB15 [26] datasets. The results are compared with baseline methods to validate the detection performance of SEDAT. The experimental results are presented in

Table 4. Comparison of the accuracy among different models in UNSW-NB15 and CIC IDS-2017 datasets.

Dataset	SEDAT	RAIDS	NDAES	MLP	DNN	RF	SVM
UNSW-NB15	$\mathbf{99.5}\%$	84.8%	94.9%	99.3%	97.7%	92.7%	88.1%
CIC IDS-2017	$\mathbf{99.3}\%$	99.0%	94.7%	96.3%	99.1%	98.8%	94.9%

and Figure 10. The accuracy of SEDAT in binary classification is 99.5% in the UNSW-NB15 dataset and 99.3% in the CIC IDS-2017 dataset, both of which are higher than the baseline methods. Furthermore, the performance of the designed model is more stable than the baseline methods. The experimental results demonstrate that the proposed SEDAT model is not only applicable to the network environment designed in this paper but also capable of achieving balanced classification results in existing network benchmark datasets.

5.2.4. Computational Complexity of SEDAT and Baseline Methods

Finally, we compare the computational complexity of SEDAT and baseline methods. The test dataset is the mixed-scale network intrusion behavior dataset, which includes light, medium, and heavy network attacks. The experimental results are shown in

Table 5. Computational complexity of SEDAT and baseline methods.

SEDAT	RAIDS	NDAES	MLP	DNN	RF	SVM
222 $\to \mathbf{137}$ s	191 s	116 s	133 s	113 s	7 s	7 s

, where SEDAT’s computational complexity reaches 222 s due to its training on three different attack scale datasets. However, by parallelizing the three base learning AEs in the code, the computational complexity is reduced to 137 s, which is approximately equal to the DL baseline method related to AEs but still higher than traditional ML methods. Therefore, in future research work, we will strive to improve the detection efficiency of SEDAT to achieve a balance between computational complexity and detection rate.

5.3. Parameter Sensitivity Analysis

During the process of feature extraction in the base learning AEs, we adjust the number of hidden layers, initial learning rate, and batch size while keeping other parameters constant. The aim is to understand how these parameters affect the quality of base learning AEs, subsequently influencing the classification performance of SEDAT.

During parameter adjustment, our goal is to determine the optimal number of hidden layers to achieve perfect performance. As shown in

Table 6. Comparison of the number of hidden layers analysis results.

Hidden Layer	Accuracy	Precision	Recall
2	98.55%	98.32%	98.73%
3	98.50%	98.40%	98.55%
4	98.60%	98.50%	98.60%
5	98.57%	98.75%	98.33%
6	98.90%	99.08%	98.68%
7	98.80%	98.83%	98.72%
8	98.77%	98.74%	98.75%
9	98.47%	98.53%	98.36%
10	98.86%	98.92%	98.76%
11	98.85%	98.99%	98.67%
12	98.60%	98.74%	98.41%
13	98.72%	98.67%	98.73%
14	98.56%	98.71%	98.36%
15	98.68%	98.62%	98.70%
$\mathbf{16}$	$\mathbf{98.95}$%	$\mathbf{99.08}$%	$\mathbf{98.92}\%$
17	98.77%	98.72%	98.77%
18	98.78%	98.63%	98.75%

and Figure 11a, with lower dimensions, the model demonstrates high recall but low precision. The result suggests that a larger number of benign samples are misclassified as attack samples, resulting in an unbalanced performance. With the increase in dimensions, precision improves while recall decreases. This shift indicates fewer misclassifications of benign samples as attack samples, leading to a more balanced performance. However, when the dimension of the hidden layer is in proximity to the input layer, we observe low precision and high recall again. This indicates that the model may overfit due to its sensitivity to noise and outliers. Therefore, we determine that setting the hidden layer dimension to 16 in the base learning AEs is optimal.

During the adjustment of the initial learning rate, we explore its effect on the convergence of the loss function within a range from 0.1 to 0.0001. The experimental results are depicted in Figure 11b. When the initial learning rate is excessively large, the loss function initially decreases rapidly, accelerating model convergence. However, there may be slight oscillations. Conversely, with an overly small initial learning rate, the model converges slowly and may easily get stuck in local optima. During training, specific parameter updates jump out of the current local optimum, resulting in a sudden drop in the loss value. Therefore, in this study, we choose an initial learning rate of 0.01. The choice of learning rate allows for faster model convergence without being trapped in local optima.

During the process of adjusting the batch size, we evaluate the performance in the multiscale network attack detection task. The adjustment process and the model performance are illustrated in

Table 7. Comparison of batch size analysis results.

Batch Size	Time(s)	Accuracy	Precision	Recall
8	653	98.7%	98.6%	98.8%
16	331	98.8%	98.8%	98.7%
$\mathbf{24}$	$\mathbf{222}$	$\mathbf{98.9}\%$	$\mathbf{99.0}\%$	$\mathbf{98.9}\%$
32	174	98.8%	98.8%	98.7%
64	93	98.7%	98.6%	98.7%
128	52	98.5%	98.4%	98.5%

and Figure 11c. The data present in the table provide evidence that smaller batch sizes result in reduced computational efficiency because they process fewer samples per iteration. However, smaller batches introduce more randomness, which can prevent overfitting. On the other hand, larger batch sizes consume more memory. Therefore, a batch size of 24 is selected in this paper. The choice strikes a balance between maintaining high computational efficiency and ensuring robust model performance.

5.4. Traffic Similarity Analysis

The experiments conducted on SEDAT reveal that all models exhibit identical effectiveness in detecting medium-scale cyberattacks compared to light- and heavy-scale cyberattacks. Furthermore, the experimental results summarized in Section 5.2.1 indicate that all models show a higher degree of misclassification in the classification of medium-scale cyberattacks. The results lead to the fuzzy samples being more biased towards benign samples, resulting in high precision and low recall. To address this issue, principal component analysis (PCA) is employed to analyze the similarity between different scale attack samples and benign samples. PCA is a widely used method for data analysis, which transforms the original feature data into a set of linearly uncorrelated dimensions through linear transformation. The method is commonly used to reduce the dimensions in high-dimensional data. PCA visualizes and analyzes network traffic by compressing the data space and visualizing multivariate data features in a lower-dimensional space. PCA is used to reduce the dimension of network traffic data, reducing it from 18 features to 2 features in order to distinguish between normal traffic and different scale attack traffic. In Figure 12, a two-dimensional scatter plot of traffic samples categorizes network traffic into attack samples and benign samples based on the two principal components (PC1, PC2). The figure clearly shows that both light and heavy network traffic exhibit a noticeable number of outlier samples, which can be distinguished from benign network traffic. However, the scatter plot of medium-scale network attacks indicates some similarity. Attack samples overlap with the region of benign samples, and outlier samples are not clearly distinguishable.

5.5. Discussion and Improvement

For Q1, the proposed SEDAT model in this paper demonstrates that light-scale cyberattacks deviate from general network access behavior, and their generated traffic cannot effectively blend with benign traffic. Consequently, SEDAT is effective in detecting subtle network attacks.

For Q2, the detection performance of SEDAT depends on the degree of deviation between attack behavior and general behavior. When the degree is smaller, detection becomes more challenging, leading to an increase in false-positive rates. However, when the degree is larger, detection becomes easier, leading to an increase in accuracy. As a result, the proposed SEDAT model is able to more accurately identify light and heavy cyberattacks, but it is unable to identify medium-scale cyberattacks with higher stealthiness.

For Q3, the experimental results of this paper indicate that traffic generated by a medium-scale cyberattack is similar to benign traffic. The fuzzy samples above this scale tend to be classified as attacks. The fuzzy samples below this scale tend to be classified as benign. Therefore, medium-scale network attacks represent the bounds of the algorithm’s effectiveness.

For Q4, this paper presents a detailed analysis of the hidden layer, initial learning rate, and batch size. These parameters indirectly impact the detection performance and classification results of SEDAT.

For Q5, this paper examines similarities between different scale attack traffic and benign network traffic. Through PCA analysis, it is found that features of medium-scale attack traffic in low-dimensional space exhibit similarities to benign network traffic. The observation suggests that medium-scale attack traffic may pose challenges in detection due to its ability to blend in with benign network traffic. Based on the discussion of the effectiveness bounds of the SEDAT, the model can be improved to reduce sensitivity to noise and outliers in subsequent research. In addition, in the probability distributed multiscale network attack detection results, the model is able to capture relevant information at multiple scales and demonstrate an accuracy of over 96%. However, the detection results in these patterns are unbalanced. Therefore, future research should aim to enhance the stability and low computational complexity of the model in order to achieve stable detection results when faced with attacks of unknown scales.

6. Conclusions

This paper proposes a stacked ensemble learning-based detection model for anomalous traffic in order to defend against multiscale network attacks. Experimental results demonstrate that the proposed SEDAT model achieves a classification accuracy of 98.9% for multiscale network attacks. The proposed SEDAT model exhibits an accuracy exceeding 96% under probability distribution-based multiscale attack patterns, showcasing effective detection capability against highly concealed attack behaviors. Additionally, the experimental results reveal that medium-scale attacks can seamlessly blend with general traffic, resulting in longer concealment periods and greater difficulty in detection. The proposed SEDAT model exhibits a higher false-positive rate at this attack scale. In our future work, we will focus on addressing the issue of high false positives in concealed attacks and exploring attack scales that completely blend in with general traffic. We will also analyze and detect anomalies in network traffic from real-world environments to comprehensively enhance the effectiveness of detection and defend against multiscale network attacks.