Explainable Cross-domain Evaluation of ML-based Network Intrusion Detection Systems

Abstract

Many of the proposed machine learning (ML) based network intrusion detection systems (NIDSs) achieve near perfect detection performance when evaluated on synthetic benchmark datasets. However, there is no record of if and how these results generalise to other network environments. In this paper, we investigate the cross-domain performance of ML-based NIDSs by extensively evaluating eight supervised and unsupervised learning models on four recently published benchmark NIDS datasets. Our investigation indicates that none of the considered models is able to generalise over all studied datasets. Interestingly, our results also indicate that the cross-domain performance has a high degree of asymmetry, i.e., swapping the source and target domains can significantly change the classification performance. Our investigation also indicates that overall, unsupervised learning methods perform better than supervised learning models in our considered scenarios. We further used SHAP values to explain the observed cross-domain performance results. They show a high correlation between a good model performance and a correspondence between feature distributions/values and Attack/Benign classes.