Machine Learning-Based Network Traffic Anomaly Detection Using the CIC-IDS2017 Dataset

Nadhir Fachrul Rozam; Tika Novita Sari; Muhammad Resa Arif Yudianto; Dzul Fadli Rahman

doi:10.30812/upgrade.v3i2.6174

Authors

Nadhir Fachrul Rozam Universitas Negeri Yogyakarta https://orcid.org/0009-0001-5491-1112
Tika Novita Sari
Muhammad Resa Arif Yudianto Universitas Negeri Yogyakarta
Dzul Fadli Rahman Universitas Negeri Yogyakarta

DOI:

https://doi.org/10.30812/upgrade.v3i2.6174

Keywords:

CIC-IDS2017, IntrusionDetectionSystem, MachineLearning, NetworkSecurity, NetworkTraffic Anomaly

Abstract

The increasing volume and diversity of traffic in modern networks demand more adaptive intrusion detection approaches than traditional signature-based methods. This study aims to evaluate and compare the performance of several machine learning algorithms in detecting multi-class network traffic anomalies using the CIC-IDS2017 dataset. The research process includes data cleaning and transformation, class imbalance handling through random undersampling, and the implementation of five classification models: Logistic Regression, Gaussian NaïveBayes, Random Forest, K-Nearest Neighbors, and Support Vector Machine. Model performance is assessed using accuracy, precision, recall, and F1-score, supported by confusion matrix analysis and feature contribution evaluation. The results indicate that Random Forest achieves the best performance with an accuracy of 99.44% and consistently high evaluation metrics, while Gaussian Naïve Bayes shows the lowest performance. Furthermore, flow-based features are found to play a dominant role in improving classification accuracy, while misclassifications mainly occur among classes with similar traffic patterns. The findings highlight that selecting appropriate algorithms and applying effective preprocessing strategies are critical for developing more accurate and adaptive intrusion detection systems capable of addressing evolving cyber threats.

References

Alanazi, F., Jambi, K., Eassa, F., Khemakhem, M., Basuhail, A., and Alsubhi, K. (2022). Ensemble Deep Learning Models for Mitigating DDoS Attack in Software-Defined Network. Intelligent Automation and Soft Computing, 33(2):923–938. https://doi.org/10.32604/iasc.2022.024668.

Aldweesh, A., Derhab, A., and Emam, A. Z. (2020). Deep learning approaches for anomaly-based intrusion detection systems: A survey, taxonomy, and open issues. Knowledge-Based Systems, 189:105124. https://doi.org/10.1016/j.knosys.2019.105124.

Bamou, A., Driss, M., Ouadghiri, E., Aghoutane, B., and Maada, L. (2023). IDS Based on Machine Learning in Reaction to IoT Attacks: Review and Empirical Evaluation. 13(2).

Buczak, A. L. and Guven, E. (2016). A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection. IEEE Communications Surveys and Tutorials, 18(2):1153–1176. https://doi.org/10.1109/COMST.2015.2494502.

Budiati, H., Himamunanto, A. R., and Bolo, N. T. (2023). Identifikasi Pola Obyek Kain Tenun Sumba dengan Menggunakan Metode K Nearest Neighbor (KNN). UPGRADE : Jurnal Pendidikan Teknologi Informasi, 1(1):1–8. https://doi.org/10.30812/upgrade.v1i1.3149

Chennoufi, S., Blanc, G., Jmila, H., and Kiennert, C. (2024). SoK: Federated Learning based Network Intrusion Detection in 5G: Context, State of the Art and Challenges. ACM International Conference Proceeding Series. https://doi.org/10.1145/3664476.3664500.

Gadze, J. D., Bamfo-Asante, A. A., Agyemang, J. O., Nunoo-Mensah, H., and Opare, K. A. B. (2021). An Investigation into the Application of Deep Learning in the Detection and Mitigation of DDOS Attack on SDNControllers. Technologies, 9(1). https://doi.org/10.3390/technologies9010014.

Isarianto, I., Turmudi Zy, A., Maulana, D., and Susilo, A. (2025). Analisis Efektivitas Sistem Deteksi Intrusi Terhadap Serangan Ddos: Investigasi Berbasis Simulasi. JATI (Jurnal Mahasiswa Teknik Informatika), 9(4):6983–6987. https://doi.org/10.36040/jati.v9i4.14359.

Liu, Z., Wang, Y., Feng, F., Liu, Y., Li, Z., and Shan, Y. (2023). A DDoS Detection Method Based on Feature Engineering and Machine Learning in Software-Defined Networks. Sensors, 23(13). https://doi.org/10.3390/s23136176.

Mujiono, M., Larasati, D. A., Hemansyah, M., and Fatimatuzzahra, F. (2025). Deteksi Anomali dalam Sistem KeamananJaringan Menggunakan Teknik Supervised Machine Learning. Jurnal Esensi Infokom : Jurnal Esensi Sistem Informasi dan Sistem Komputer, 9(1):65–69. https://doi.org/10.55886/infokom.v9i1.971.

Najar, A. A. and Manohar Naik, S. (2024). Cyber-Secure SDN: A CNN-Based Approach for Efficient Detection and Mitigation of DDoS attacks. Computers & Security, 139:103716. https://doi.org/ 10.1016/J.COSE.2024.103716.

Neethu, S. and Ravish Aradhya, H. V. (2024). Evaluation of distributed denial of service attacks detection in software defined networks. IAES International Journal of Artificial Intelligence, 13(4):4488–4498. https://doi.org/10.11591/ijai.v13.i4.pp4488-4498.

Nisa, N., Khan, A. S., Ahmad, Z., and Abdullah, J. (2024). TPAAD: Two-phase authentication system for denial of service attack detection and mitigation using machine learning in software-defined network. International Journal of Network Management, 34(3). https://doi.org/10.1002/nem.2258.

Putra, D. K., Pradana, C. A., Gilardin, M. H., and Riyandi, A. (2025). Comparative Analysis of Machine Learning Algorithms in Detecting DDoS Attacks on CICIDS2017 Dataset. Journal of Intelligent Systems and Information Technology, 2(2). https://doi.org/10.61971/jisit.v2i2.182.

Raza, M. S., Sheikh, M. N. A., Hwang, I. S., and Ab-Rahman, M. S. (2024). Feature-Selection-Based DDoSAttack Detection Using AI Algorithms. Telecom, 5(2):333–346. https://doi.org/10.3390/telecom5020017.

Rios, V. D. M., Inacio, P. R. M., Magoni, D., and Freire, M. M. (2022). Detection and Mitigation of Low-Rate Denial-of-Service Attacks: A

Survey. IEEE Access, 10(July):76648–76668. https://doi.org/10.1109/ACCESS.2022.3191430.

Rosay, A., Cheval, E., Carlier, F., and Leroux, P. (2022). Network Intrusion Detection: A Comprehensive Analysis of CIC-IDS2017. In Proceedings of the 8th International Conference on Information Systems Security and Privacy, volume 9, pages 25–36. SCITEPRESS- Science and Technology Publications. https://doi.org/10.5220/0010774000003120.

Rozam, N. F. and Riasetiawan, M. (2023). XGBoost Classifier for DDOS Attack Detection in Software Defined Network Using sFlow Protocol. International Journal on Advanced Science, Engineering and Information Technology, 13(2):718–725. https://doi.org/10.18517/ijaseit.13.2.17810.

Setitra, M. A. and Fan, M. (2024). Detection of DDoS attacks in SDN-based VANET using optimized Tab Net. Computer Standards and Interfaces, 90. https://doi.org/10.1016/j.csi.2024.103845.

Setitra, M. A., Fan, M., Benkhaddra, I., and Bensalem, Z. E. A. (2024). DoS/DDoS attacks in Software Defined Networks: Current situation, challenges and future directions. Computer Communications, 222:77–96. https://doi.org/10.1016/J.COMCOM.2024.04.035.

Sharafaldin, I., Lashkari, A. H., and Ghorbani, A. A. (2018). Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. https://doi.org/10.5220/0006639801080116.

Wang, Z., Li, J., Yang, S., Luo, X., Li, D., and Mahmoodi, S. (2024). A lightweight IoT intrusion detection model based on improved BERT-of Theseus. Expert Systems with Applications, 238:122045. https://doi.org/10.1016/J.ESWA.2023.122045.