Operational Weakness Mapping of Machine Learning–Based IntrusionDetection Systems under Realistic Deployment Scenarios

Authors

  • ID Fathoni Mahardika Universitas Amikom Yogyakarta, Yogyakarta, Indonesia
  • ID Ema Utami Universitas Amikom Yogyakarta, Yogyakarta, Indonesia
  • ID Kusrini Universitas Amikom Yogyakarta, Yogyakarta, Indonesia
  • ID Ferry Wahyu Wibowo Universitas Amikom Yogyakarta, Yogyakarta, Indonesia

DOI:

https://doi.org/10.30812/matrik.v25i3.6147

Keywords:

Benchmarking, Explainable artificial intelligence, Intrusion detection system, Early Warning, Flood, Machine Learning, Ensemble, Operational robustness

Abstract

As machine learning-based intrusion detection systems increasingly support information security risk management, prior systematic literature review findings indicate that many studies still emphasize benchmark accuracy while paying limited attention to robustness, interpretability, and operational feasibility. This study aims to map the operational weaknesses of machine learning-based intrusion detection systems under realistic deployment stressors. A directed replication and scenario-based stresstesting approach was applied using four public intrusion detection datasets, namely CICIDS2017, CICIDS2018, UNSW-NB15, and RanSMAP. The data were obtained from public repositories, converted to binary labels, cleaned by removing identifiers and non-numeric attributes, imputed with median values, scaled with MinMax normalization, and split into training and testing subsets. Supervised models, including Random Forest and XGBoost, were compared with unsupervised baselines, including Isolation Forest, LOF/kNN-distance, and DBSCAN, across scenarios covering baseline benchmarking, class imbalance, telemetry degradation, drift, parameter sensitivity, and micro-batch inference. The results show that supervised models achieved near-perfect baseline performance but degraded sharply under minor Gaussian noise, with F1-score dropping to 0.16 for Random Forest and 0.41 for XGBoost. Unsupervised models showed limited detection capability and high sensitivity to parameters. Although micro-batch inference achieved high throughput, alert burden remained a practical concern. These findings demonstrate that benchmark accuracy alone is insufficient for deployment readiness and that IDS evaluation should include robustness, interpretability, and alert-management analysis.

Downloads

Download data is not yet available.

Author Biographies

  • Fathoni Mahardika, Universitas Amikom Yogyakarta, Yogyakarta, Indonesia

    .

  • Ema Utami, Universitas Amikom Yogyakarta, Yogyakarta, Indonesia

    .

  • Kusrini, Universitas Amikom Yogyakarta, Yogyakarta, Indonesia

    .

  • Ferry Wahyu Wibowo, Universitas Amikom Yogyakarta, Yogyakarta, Indonesia

    .

References

[1] E. Krzyszto´n, I. Rojek, and D. Mikołajewski, “A Comparative Analysis of Anomaly Detection Methods in IoT Networks: An

Experimental Study,” Applied Sciences, vol. 14, no. 24, p. 11545, Dec. 2024, https://doi.org/10.3390/app142411545.

[2] S. Narmadha and N. Balaji, “Improved network anomaly detection system using optimized autoencoder - LSTM,” Expert

Systems with Applications, vol. 273, p. 126854, May 2025, https://doi.org/10.1016/j.eswa.2025.126854.

[3] F. Mahardika, E. Utami, Kusrini, and F. W. Wibowo, “Towards Transparent Cyber Threat Detection : A Systematic Literature

Review on the Role of Explainable AI (XAI) in Information Security Risk Management (2018-2025),” in 2025 13th

International Conference on Cyber and IT Service Management (CITSM). Jakarta, Indonesia: IEEE, Sep. 2025, pp. 1–4,

https://doi.org/10.1109/CITSM67730.2025.11291277.

[4] ——, “A Systematic Literature Review on Machine Learning-Based Information Security Risk Management for Higher Education

Institutions,” in 2025 IEEE International Conference on Advanced Information Scientific Development (ICAISD). Jakarta,

Indonesia: IEEE, Nov. 2025, pp. 84–89, https://doi.org/10.1109/ICAISD68166.2025.11385757.

[5] A. H. Muhammad, A. Nasiri, and A. Harimurti, “Machine learning methods for classification and prediction information security

risk assessment,” IAES International Journal of Artificial Intelligence (IJ-AI), vol. 14, no. 1, pp. 457–465, Feb. 2025,

https://doi.org/10.11591/ijai.v14.i1.pp457-465.

[6] Y. Xin, L. Kong, Z. Liu, Y. Chen, Y. Li, H. Zhu, M. Gao, H. Hou, and C.Wang, “Machine Learning and Deep Learning Methods

for Cybersecurity,” IEEE Access, vol. 6, pp. 35 365–35 381, 2018, https://doi.org/10.1109/ACCESS.2018.2836950.

[7] N. G. Pardeshi and D. V. Patil, “A two-layered collaborative approach for network intrusion detection system using blended

shallow learning gaussian na¨ıve bayes and support vector machine models,” International Journal of Advances in Intelligent

Informatics, vol. 11, no. 3, pp. 459–479, Aug. 2025, https://doi.org/10.26555/ijain.v11i3.2035.

[8] Y. Almutairi, B. Alhazmi, and A. Munshi, “Network Intrusion Detection Using Machine Learning Techniques,” Advances in

Science and Technology Research Journal, vol. 16, no. 3, pp. 193–206, Jul. 2022, https://doi.org/10.12913/22998624/149934.

[9] D. G. Hakke, “Performance Evaluation of Machine Learning-Based Intrusion Detection Using NSL-KDD, UNSW-NB15 and

CICIDS2017 Datasets,” International Journal of Applied Mathematics, vol. 38, no. 3s, pp. 447–469, Sep. 2025, https://doi.org/

10.12732/ijam.v38i3s.160.

[10] S. A. Ajagbe, J. B. Awotunde, and H. Florez, “Intrusion Detection: A Comparison Study of Machine Learning Models Using

Unbalanced Dataset,” SN Computer Science, vol. 5, no. 8, p. 1028, Nov. 2024, https://doi.org/10.1007/s42979-024-03369-0.

[11] D. Paolini, P. Dini, A. Elhanashi, and S. Saponara, “Advanced Fault Detection and Diagnosis Exploiting Machine Learning

and Artificial Intelligence for Engineering Applications,” Electronics, vol. 15, no. 2, p. 476, Jan. 2026, https://doi.org/10.3390/

electronics15020476.

[12] V. Z. Mohale and I. C. Obagbuwa, “Evaluating machine learning-based intrusion detection systems with explainable AI: Enhancing

transparency and interpretability,” Frontiers in Computer Science, vol. 7, p. 1520741, May 2025, https://doi.org/10.

3389/fcomp.2025.1520741.

[13] L. Bernal, G. Rastelli, and L. Pinzi, “Improving Machine Learning Classification Predictions through SHAP and Features

Analysis Interpretation,” Journal of Chemical Information and Modeling, vol. 65, no. 21, pp. 11 716–11 732, Nov. 2025, https:

//doi.org/10.1021/acs.jcim.5c02015.

[14] M. A. Ferrag, L. Maglaras, S. Moschoyiannis, and H. Janicke, “Deep learning for cyber security intrusion detection: Approaches,

datasets, and comparative study,” Journal of Information Security and Applications, vol. 50, p. 102419, Feb. 2020,

https://doi.org/10.1016/j.jisa.2019.102419.

[15] G. R. Ginni and S. L. Chakravarthy, “A Hybrid Framework for Robust Anomaly Detection: Integrating Unsupervised and

Supervised Learning with Advanced Feature Engineering,” International Journal of Computational and Experimental Science

and Engineering, vol. 11, no. 2, pp. 1993–2017, Apr. 2025, https://doi.org/10.22399/ijcesen.1383.

[16] P. Lavanya, R. P. Singh, U. Kumaran, and P. Kumar, “Gradient Boosting classifier performance evaluation using Generative

Adversarial Networks,” Procedia Computer Science, vol. 235, pp. 3016–3024, 2024, https://doi.org/10.1016/j.procs.2024.04.

285.

[17] F. Ebrahimi, R. Javidan, R. Akbari, and Y. Hosseini, “Intrusion detection in the internet of things using convolutional

neural networks: An explainable AI approach,” Cybersecurity, vol. 8, no. 1, p. 66, Sep. 2025, https://doi.org/10.1186/

s42400-025-00369-2.

[18] V. Kumar, S. S. Saheb, Preeti, A. Ghayas, S. Kumari, J. K. Chandel, S. K. Pandey, and S. Kumar, “AI-Based Hybrid Models

for Predicting Loan Risk in the Banking Sector,” Big Data Mining and Analytics, vol. 6, no. 4, pp. 478–490, Dec. 2023,

https://doi.org/10.26599/BDMA.2022.9020037.

[19] H. Zhang, Z. Xiao, J. Gu, and Y. Liu, “A network anomaly detection algorithm based on semi-supervised learning and adaptive

multiclass balancing,” The Journal of Supercomputing, vol. 79, no. 18, pp. 20 445–20 480, Dec. 2023, https://doi.org/10.1007/

s11227-023-05474-y.

[20] M. Aamir and S. M. Ali Zaidi, “Clustering based semi-supervised machine learning for DDoS attack classification,” Journal of

King Saud University - Computer and Information Sciences, vol. 33, no. 4, pp. 436–446, May 2021, https://doi.org/10.1016/j.

jksuci.2019.02.003.

[21] M. Hirano and R. Kobayashi, “RanSMAP: Open dataset of Ransomware Storage and Memory Access Patterns for creating deep

learning based ransomware detectors,” Computers & Security, vol. 150, p. 104202, Mar. 2025, https://doi.org/10.1016/j.cose.

2024.104202.

[22] Hari Vinayak M.V. and Jarin T., “A hybrid model for detecting intrusions using stacked autoencoders and extreme gradient

boosting,” Computers & Security, vol. 150, p. 104212, Mar. 2025, https://doi.org/10.1016/j.cose.2024.104212.

[23] N. Amroune, M. Benazi, and L. Sayad, “An Adaptative Eps Parameter of DBSCAN Algorithm for Identifying Clusters with

Heterogeneous Density,” Computaci´on y Sistemas, vol. 28, no. 2, Jun. 2024, https://doi.org/10.13053/cys-28-2-4600.

[24] J. I. Iturbe-Araya and H. Rif`a-Pous, “Enhancing unsupervised anomaly-based cyberattacks detection in smart homes through

hyperparameter optimization,” International Journal of Information Security, vol. 24, no. 1, p. 45, Feb. 2025, https://doi.org/10.

1007/s10207-024-00961-6.

[25] O. Alghushairy, R. Alsini, T. Soule, and X. Ma, “A Review of Local Outlier Factor Algorithms for Outlier Detection in Big

Data Streams,” Big Data and Cognitive Computing, vol. 5, no. 1, pp. 1–24, Mar. 2021, https://doi.org/10.3390/bdcc5010001.

[26] S. T. Hamidou and A. Mehdi, “Enhancing IDS performance through a comparative analysis of Random Forest, XGBoost, and

Deep Neural Networks,” Machine Learning with Applications, vol. 22, p. 100738, Dec. 2025, https://doi.org/10.1016/j.mlwa.

2025.100738.

[27] S. Oh, S. Sohn, C. Kim, and M. Park, “MCH-Ensemble: Minority Class Highlighting Ensemble Method for Class Imbalance in

Network Intrusion Detection,” Applied Sciences, vol. 15, no. 23, p. 12647, Nov. 2025, https://doi.org/10.3390/app152312647.

[28] R. Mohite and L. Ouarbya, “Interpretable Anomaly Detection: A Hybrid Approach Using Rule-Based and Machine Learning

Techniques,” in 2024 IEEE 9th International Conference for Convergence in Technology (I2CT). Pune, India: IEEE, Apr.

2024, pp. 1–10, https://doi.org/10.1109/I2CT61223.2024.10543396.

Downloads

Published

2026-07-31

Issue

Section

Articles

How to Cite

[1]
Fathoni Mahardika, Ema Utami, Kusrini, and Ferry Wahyu Wibowo, “Operational Weakness Mapping of Machine Learning–Based IntrusionDetection Systems under Realistic Deployment Scenarios”, MATRIK, vol. 25, no. 3, pp. 491–508, Jul. 2026, doi: 10.30812/matrik.v25i3.6147.