METHOD FOR REDUCING FALSE ACCOUNTS IN INTRUDER DETECTION SYSTEMS BASED ON THRESHOLD FILTERING AND GRADIENT BOOSTING
DOI:
https://doi.org/10.35546/kntu2078-4481.2026.1.51Keywords:
intrusion detection, machine learning, cyberattacks, network security, false positives, threshold filteringAbstract
The increasing number and complexity of cyber threats necessitates the need to improve the efficiency of intrusion detection systems. The practical use of such systems is significantly complicated by the high level of false positives, which leads to an overload of security professionals. The aim of the work is to develop a method for reducing false positives in network intrusion detection systems that provides an optimal balance among classification accuracy, computational efficiency, and practical suitability for deployment in real network environments. The proposed method combines the LightGBM gradient boosting algorithm with an adaptive threshold filtering mechanism and a fallback class. A microservice architecture for the system based on Docker containerization has been developed, comprising five main components: CICFlowMeter for flow generation, Converter for format conversion, Agent for event batching, API Server for classification, and Dashboard for results visualization. The key scientific novelty is the adaptive threshold filtering algorithm, which uses individual threshold values for each attack class and a mechanism for automatically returning to the BENIGN class when model confidence is insufficient. Experimental studies on the public CIC-IDS2017 dataset showed that the proposed method achieves an F1-score = 0.949 and a false positive rate of 2.1 %, a 74 % reduction compared to the basic LightGBM model without post-processing. Compared to the MLP multilayer neural network, the proposed solution achieves higher accuracy with a fourfold reduction in training time and inference that is almost twice as fast. The contribution of each component of the proposed system to the accuracy of cyberattack detection was also investigated. Testing across different attack types showed the best detection efficiency for DDoS, PortScan, and DoS attacks. The practical significance of the work lies in the ability to apply the proposed method in real intrusion detection systems without the need for graphics accelerators, making it suitable for organizations with limited computing resources.
References
Keepnet Labs. Cybersecurity Statistics 2024: Updated Trends and Data. URL: https://keepnetlabs.com/blog/171-cyber-security-statistics-2024-s-updated-trends-and-data
Ferrag M. A., Maglaras L. A (2024) Comprehensive Review of Intrusion Detection Systems Using Machine Learning. SN Computer Science. Vol. 5, № 6. https://doi.org/10.1007/s42979-024-03369-0
Corelight. Reducing IDS False Positives. 2025. URL: https://corelight.com/resources/glossary/ids-false-positives
Бандура В. В., Крихівський М. В., Чудик В. І. (2025) Прогнозування кібератак за допомогою алгоритмів штучного інтелекту виявлення аномалій. Вісник Херсонського національного технічного університету. Т. 1 (92), № 2. https://doi.org/10.35546/kntu2078-4481.2025.1.2.2
Ahmad W. et al. (2024) Comparative Analysis of Architectural Differences: Snort vs. Suricata. Iraqi Journal for Computer Science and Mathematics. Vol. 7, Issue 2. URL: https://www.ijict.edu.iq/index.php/ijict/article/download/290/122
Khan Z. et al. (2025) Improving Intrusion Detection with Hybrid Deep Learning Models: A Study on CIC-IDS2017, UNSW-NB15, and KDD CUP 99. Journal of Information Systems Engineering and Management. URL: https://www.researchgate.net/publication/389144460
Reducing False Positives in Intrusion Detection Systems with Adaptive Machine Learning Algorithms. ResearchGate. 2025. URL: https://www.researchgate.net/publication/390747122
Gupta N., Jain A. (2016) Reducing False Positive in Intrusion Detection System: A Survey. International Journal of Computer Science and Information Technologies. Vol. 7, No. 3. P. 1600–1603.
Yakub Reddy K., ShankarLingam G. (2024) Artificial Intelligence in Intrusion Detection Systems: Trends, Frameworks, and Future Directions for Cybersecurity. International Journal of Intelligent Systems and Applications in Engineering. Vol. 12, No. 21. URL: https://ijisae.org/index.php/IJISAE/article/view/7689
Almiani M. et al. (2024) Comparative Performance Evaluation of Machine Learning Algorithms for Cyber Intrusion Detection. Preprints. https://doi.org/10.20944/preprints202412.0497.v1
Canadian Institute for Cybersecurity. Intrusion Detection Evaluation Dataset (CIC-IDS2017). University of New Brunswick. 2017. URL: https://www.unb.ca/cic/datasets/ids-2017.html
Khan Z. I. et al. (2024) A Comprehensive Study on CIC-IDS2017 Dataset for Intrusion Detection Systems. ResearchGate. URL: https://www.researchgate.net/publication/378709289
Maseer Z. K. et al. (2021) Benchmarking of Machine Learning for Anomaly Based Intrusion Detection Systems in the CICIDS2017 Dataset. IEEE Access. Vol. 9. P. 22351–22370. DOI: 10.1109/ACCESS.2021.3056614
