Operational Weakness Mapping of Machine Learning–Based IntrusionDetection Systems under Realistic Deployment Scenarios
DOI:
https://doi.org/10.30812/matrik.v25i3.6147Keywords:
Benchmarking, Explainable artificial intelligence, Intrusion detection system, Early Warning, Flood, Machine Learning, Ensemble, Operational robustnessAbstract
As machine learning-based intrusion detection systems increasingly support information security risk management, prior systematic literature review findings indicate that many studies still emphasize benchmark accuracy while paying limited attention to robustness, interpretability, and operational feasibility. This study aims to map the operational weaknesses of machine learning-based intrusion detection systems under realistic deployment stressors. A directed replication and scenario-based stresstesting approach was applied using four public intrusion detection datasets, namely CICIDS2017, CICIDS2018, UNSW-NB15, and RanSMAP. The data were obtained from public repositories, converted to binary labels, cleaned by removing identifiers and non-numeric attributes, imputed with median values, scaled with MinMax normalization, and split into training and testing subsets. Supervised models, including Random Forest and XGBoost, were compared with unsupervised baselines, including Isolation Forest, LOF/kNN-distance, and DBSCAN, across scenarios covering baseline benchmarking, class imbalance, telemetry degradation, drift, parameter sensitivity, and micro-batch inference. The results show that supervised models achieved near-perfect baseline performance but degraded sharply under minor Gaussian noise, with F1-score dropping to 0.16 for Random Forest and 0.41 for XGBoost. Unsupervised models showed limited detection capability and high sensitivity to parameters. Although micro-batch inference achieved high throughput, alert burden remained a practical concern. These findings demonstrate that benchmark accuracy alone is insufficient for deployment readiness and that IDS evaluation should include robustness, interpretability, and alert-management analysis.
Downloads
References
[1] E. Krzyszto´n, I. Rojek, and D. Mikołajewski, “A Comparative Analysis of Anomaly Detection Methods in IoT Networks: An
Experimental Study,” Applied Sciences, vol. 14, no. 24, p. 11545, Dec. 2024, https://doi.org/10.3390/app142411545.
[2] S. Narmadha and N. Balaji, “Improved network anomaly detection system using optimized autoencoder - LSTM,” Expert
Systems with Applications, vol. 273, p. 126854, May 2025, https://doi.org/10.1016/j.eswa.2025.126854.
[3] F. Mahardika, E. Utami, Kusrini, and F. W. Wibowo, “Towards Transparent Cyber Threat Detection : A Systematic Literature
Review on the Role of Explainable AI (XAI) in Information Security Risk Management (2018-2025),” in 2025 13th
International Conference on Cyber and IT Service Management (CITSM). Jakarta, Indonesia: IEEE, Sep. 2025, pp. 1–4,
https://doi.org/10.1109/CITSM67730.2025.11291277.
[4] ——, “A Systematic Literature Review on Machine Learning-Based Information Security Risk Management for Higher Education
Institutions,” in 2025 IEEE International Conference on Advanced Information Scientific Development (ICAISD). Jakarta,
Indonesia: IEEE, Nov. 2025, pp. 84–89, https://doi.org/10.1109/ICAISD68166.2025.11385757.
[5] A. H. Muhammad, A. Nasiri, and A. Harimurti, “Machine learning methods for classification and prediction information security
risk assessment,” IAES International Journal of Artificial Intelligence (IJ-AI), vol. 14, no. 1, pp. 457–465, Feb. 2025,
https://doi.org/10.11591/ijai.v14.i1.pp457-465.
[6] Y. Xin, L. Kong, Z. Liu, Y. Chen, Y. Li, H. Zhu, M. Gao, H. Hou, and C.Wang, “Machine Learning and Deep Learning Methods
for Cybersecurity,” IEEE Access, vol. 6, pp. 35 365–35 381, 2018, https://doi.org/10.1109/ACCESS.2018.2836950.
[7] N. G. Pardeshi and D. V. Patil, “A two-layered collaborative approach for network intrusion detection system using blended
shallow learning gaussian na¨ıve bayes and support vector machine models,” International Journal of Advances in Intelligent
Informatics, vol. 11, no. 3, pp. 459–479, Aug. 2025, https://doi.org/10.26555/ijain.v11i3.2035.
[8] Y. Almutairi, B. Alhazmi, and A. Munshi, “Network Intrusion Detection Using Machine Learning Techniques,” Advances in
Science and Technology Research Journal, vol. 16, no. 3, pp. 193–206, Jul. 2022, https://doi.org/10.12913/22998624/149934.
[9] D. G. Hakke, “Performance Evaluation of Machine Learning-Based Intrusion Detection Using NSL-KDD, UNSW-NB15 and
CICIDS2017 Datasets,” International Journal of Applied Mathematics, vol. 38, no. 3s, pp. 447–469, Sep. 2025, https://doi.org/
10.12732/ijam.v38i3s.160.
[10] S. A. Ajagbe, J. B. Awotunde, and H. Florez, “Intrusion Detection: A Comparison Study of Machine Learning Models Using
Unbalanced Dataset,” SN Computer Science, vol. 5, no. 8, p. 1028, Nov. 2024, https://doi.org/10.1007/s42979-024-03369-0.
[11] D. Paolini, P. Dini, A. Elhanashi, and S. Saponara, “Advanced Fault Detection and Diagnosis Exploiting Machine Learning
and Artificial Intelligence for Engineering Applications,” Electronics, vol. 15, no. 2, p. 476, Jan. 2026, https://doi.org/10.3390/
electronics15020476.
[12] V. Z. Mohale and I. C. Obagbuwa, “Evaluating machine learning-based intrusion detection systems with explainable AI: Enhancing
transparency and interpretability,” Frontiers in Computer Science, vol. 7, p. 1520741, May 2025, https://doi.org/10.
3389/fcomp.2025.1520741.
[13] L. Bernal, G. Rastelli, and L. Pinzi, “Improving Machine Learning Classification Predictions through SHAP and Features
Analysis Interpretation,” Journal of Chemical Information and Modeling, vol. 65, no. 21, pp. 11 716–11 732, Nov. 2025, https:
//doi.org/10.1021/acs.jcim.5c02015.
[14] M. A. Ferrag, L. Maglaras, S. Moschoyiannis, and H. Janicke, “Deep learning for cyber security intrusion detection: Approaches,
datasets, and comparative study,” Journal of Information Security and Applications, vol. 50, p. 102419, Feb. 2020,
https://doi.org/10.1016/j.jisa.2019.102419.
[15] G. R. Ginni and S. L. Chakravarthy, “A Hybrid Framework for Robust Anomaly Detection: Integrating Unsupervised and
Supervised Learning with Advanced Feature Engineering,” International Journal of Computational and Experimental Science
and Engineering, vol. 11, no. 2, pp. 1993–2017, Apr. 2025, https://doi.org/10.22399/ijcesen.1383.
[16] P. Lavanya, R. P. Singh, U. Kumaran, and P. Kumar, “Gradient Boosting classifier performance evaluation using Generative
Adversarial Networks,” Procedia Computer Science, vol. 235, pp. 3016–3024, 2024, https://doi.org/10.1016/j.procs.2024.04.
285.
[17] F. Ebrahimi, R. Javidan, R. Akbari, and Y. Hosseini, “Intrusion detection in the internet of things using convolutional
neural networks: An explainable AI approach,” Cybersecurity, vol. 8, no. 1, p. 66, Sep. 2025, https://doi.org/10.1186/
s42400-025-00369-2.
[18] V. Kumar, S. S. Saheb, Preeti, A. Ghayas, S. Kumari, J. K. Chandel, S. K. Pandey, and S. Kumar, “AI-Based Hybrid Models
for Predicting Loan Risk in the Banking Sector,” Big Data Mining and Analytics, vol. 6, no. 4, pp. 478–490, Dec. 2023,
https://doi.org/10.26599/BDMA.2022.9020037.
[19] H. Zhang, Z. Xiao, J. Gu, and Y. Liu, “A network anomaly detection algorithm based on semi-supervised learning and adaptive
multiclass balancing,” The Journal of Supercomputing, vol. 79, no. 18, pp. 20 445–20 480, Dec. 2023, https://doi.org/10.1007/
s11227-023-05474-y.
[20] M. Aamir and S. M. Ali Zaidi, “Clustering based semi-supervised machine learning for DDoS attack classification,” Journal of
King Saud University - Computer and Information Sciences, vol. 33, no. 4, pp. 436–446, May 2021, https://doi.org/10.1016/j.
jksuci.2019.02.003.
[21] M. Hirano and R. Kobayashi, “RanSMAP: Open dataset of Ransomware Storage and Memory Access Patterns for creating deep
learning based ransomware detectors,” Computers & Security, vol. 150, p. 104202, Mar. 2025, https://doi.org/10.1016/j.cose.
2024.104202.
[22] Hari Vinayak M.V. and Jarin T., “A hybrid model for detecting intrusions using stacked autoencoders and extreme gradient
boosting,” Computers & Security, vol. 150, p. 104212, Mar. 2025, https://doi.org/10.1016/j.cose.2024.104212.
[23] N. Amroune, M. Benazi, and L. Sayad, “An Adaptative Eps Parameter of DBSCAN Algorithm for Identifying Clusters with
Heterogeneous Density,” Computaci´on y Sistemas, vol. 28, no. 2, Jun. 2024, https://doi.org/10.13053/cys-28-2-4600.
[24] J. I. Iturbe-Araya and H. Rif`a-Pous, “Enhancing unsupervised anomaly-based cyberattacks detection in smart homes through
hyperparameter optimization,” International Journal of Information Security, vol. 24, no. 1, p. 45, Feb. 2025, https://doi.org/10.
1007/s10207-024-00961-6.
[25] O. Alghushairy, R. Alsini, T. Soule, and X. Ma, “A Review of Local Outlier Factor Algorithms for Outlier Detection in Big
Data Streams,” Big Data and Cognitive Computing, vol. 5, no. 1, pp. 1–24, Mar. 2021, https://doi.org/10.3390/bdcc5010001.
[26] S. T. Hamidou and A. Mehdi, “Enhancing IDS performance through a comparative analysis of Random Forest, XGBoost, and
Deep Neural Networks,” Machine Learning with Applications, vol. 22, p. 100738, Dec. 2025, https://doi.org/10.1016/j.mlwa.
2025.100738.
[27] S. Oh, S. Sohn, C. Kim, and M. Park, “MCH-Ensemble: Minority Class Highlighting Ensemble Method for Class Imbalance in
Network Intrusion Detection,” Applied Sciences, vol. 15, no. 23, p. 12647, Nov. 2025, https://doi.org/10.3390/app152312647.
[28] R. Mohite and L. Ouarbya, “Interpretable Anomaly Detection: A Hybrid Approach Using Rule-Based and Machine Learning
Techniques,” in 2024 IEEE 9th International Conference for Convergence in Technology (I2CT). Pune, India: IEEE, Apr.
2024, pp. 1–10, https://doi.org/10.1109/I2CT61223.2024.10543396.
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Fathoni Mahardika, Ema Utami, Kusrini, Ferry Wahyu Wibowo

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Fathoni Mahardika
.png)











