{"id":"https://openalex.org/W4406046950","doi":"https://doi.org/10.1109/lnet.2025.3525901","title":"Individual Packet Features are a Risk to Model Generalization in ML-Based Intrusion Detection","display_name":"Individual Packet Features are a Risk to Model Generalization in ML-Based Intrusion Detection","publication_year":2025,"publication_date":"2025-01-03","ids":{"openalex":"https://openalex.org/W4406046950","doi":"https://doi.org/10.1109/lnet.2025.3525901"},"language":"en","primary_location":{"id":"doi:10.1109/lnet.2025.3525901","is_oa":false,"landing_page_url":"https://doi.org/10.1109/lnet.2025.3525901","pdf_url":null,"source":{"id":"https://openalex.org/S4210234060","display_name":"IEEE Networking Letters","issn_l":"2576-3156","issn":["2576-3156"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Networking Letters","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5058691307","display_name":"Kahraman Kostas","orcid":"https://orcid.org/0000-0002-4696-1857"},"institutions":[{"id":"https://openalex.org/I32062511","display_name":"Heriot-Watt University","ror":"https://ror.org/04mghma93","country_code":"GB","type":"education","lineage":["https://openalex.org/I32062511"]}],"countries":["GB"],"is_corresponding":true,"raw_author_name":"Kahraman Kostas","raw_affiliation_strings":["Department of Computer Science, Heriot-Watt University, Edinburgh, U.K","Department of Computer Science, Heriot-Watt University, UK"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science, Heriot-Watt University, Edinburgh, U.K","institution_ids":[]},{"raw_affiliation_string":"Department of Computer Science, Heriot-Watt University, UK","institution_ids":["https://openalex.org/I32062511"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037048837","display_name":"Mike Just","orcid":"https://orcid.org/0000-0002-9669-5067"},"institutions":[{"id":"https://openalex.org/I32062511","display_name":"Heriot-Watt University","ror":"https://ror.org/04mghma93","country_code":"GB","type":"education","lineage":["https://openalex.org/I32062511"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Mike Just","raw_affiliation_strings":["Department of Computer Science, Heriot-Watt University, Edinburgh, U.K","Department of Computer Science, Heriot-Watt University, UK"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science, Heriot-Watt University, Edinburgh, U.K","institution_ids":[]},{"raw_affiliation_string":"Department of Computer Science, Heriot-Watt University, UK","institution_ids":["https://openalex.org/I32062511"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5049325379","display_name":"Michael A. Lones","orcid":"https://orcid.org/0000-0002-2745-9896"},"institutions":[{"id":"https://openalex.org/I32062511","display_name":"Heriot-Watt University","ror":"https://ror.org/04mghma93","country_code":"GB","type":"education","lineage":["https://openalex.org/I32062511"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Michael A. Lones","raw_affiliation_strings":["Department of Computer Science, Heriot-Watt University, Edinburgh, U.K","Department of Computer Science, Heriot-Watt University, UK"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science, Heriot-Watt University, Edinburgh, U.K","institution_ids":[]},{"raw_affiliation_string":"Department of Computer Science, Heriot-Watt University, UK","institution_ids":["https://openalex.org/I32062511"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5058691307"],"corresponding_institution_ids":["https://openalex.org/I32062511"],"apc_list":null,"apc_paid":null,"fwci":14.4254,"has_fulltext":false,"cited_by_count":9,"citation_normalized_percentile":{"value":0.98698009,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":98,"max":99},"biblio":{"volume":"7","issue":"1","first_page":"66","last_page":"70"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9824000000953674,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9824000000953674,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.722126841545105},{"id":"https://openalex.org/keywords/network-packet","display_name":"Network packet","score":0.5902014970779419},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.5066614747047424},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.3952522575855255},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.34231385588645935},{"id":"https://openalex.org/keywords/computer-network","display_name":"Computer network","score":0.3147788941860199}],"concepts":[{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.722126841545105},{"id":"https://openalex.org/C158379750","wikidata":"https://www.wikidata.org/wiki/Q214111","display_name":"Network packet","level":2,"score":0.5902014970779419},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5066614747047424},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.3952522575855255},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.34231385588645935},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.3147788941860199}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/lnet.2025.3525901","is_oa":false,"landing_page_url":"https://doi.org/10.1109/lnet.2025.3525901","pdf_url":null,"source":{"id":"https://openalex.org/S4210234060","display_name":"IEEE Networking Letters","issn_l":"2576-3156","issn":["2576-3156"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Networking Letters","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Climate action","id":"https://metadata.un.org/sdg/13","score":0.6700000166893005}],"awards":[{"id":"https://openalex.org/G3614183638","display_name":null,"funder_award_id":"YLSY-2015","funder_id":"https://openalex.org/F4320328189","funder_display_name":"Milli E\u011fitim Bakanli\u011fi"}],"funders":[{"id":"https://openalex.org/F4320328189","display_name":"Milli E\u011fitim Bakanli\u011fi","ror":null}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":20,"referenced_works":["https://openalex.org/W2026621111","https://openalex.org/W2774161712","https://openalex.org/W2789828921","https://openalex.org/W2955014922","https://openalex.org/W2963197901","https://openalex.org/W2963748489","https://openalex.org/W2973136425","https://openalex.org/W2997863343","https://openalex.org/W3172336096","https://openalex.org/W3192184909","https://openalex.org/W3192414357","https://openalex.org/W4213027282","https://openalex.org/W4220747501","https://openalex.org/W4220886040","https://openalex.org/W4226319939","https://openalex.org/W4285221277","https://openalex.org/W4293093536","https://openalex.org/W4318570479","https://openalex.org/W4323275401","https://openalex.org/W6860733418"],"related_works":["https://openalex.org/W2357468538","https://openalex.org/W1577110157","https://openalex.org/W2355007334","https://openalex.org/W2390009783","https://openalex.org/W4254602698","https://openalex.org/W2394461323","https://openalex.org/W2364419519","https://openalex.org/W2360767377","https://openalex.org/W2017948608","https://openalex.org/W2360951146"],"abstract_inverted_index":{"Machine":[0],"learning":[1],"is":[2],"increasingly":[3],"employed":[4],"for":[5,68,126],"intrusion":[6,131],"detection":[7,63,81,132],"in":[8,86,105,134],"IoT":[9,135],"networks.":[10],"This":[11],"paper":[12],"provides":[13],"the":[14,19,57,111],"first":[15,58],"empirical":[16],"evidence":[17],"of":[18,45,61,113],"risks":[20,67],"associated":[21],"with":[22,98],"modeling":[23],"network":[24],"traffic":[25],"using":[26],"individual":[27],"packet":[28,115],"features":[29],"(IPF).":[30],"Through":[31],"a":[32],"comprehensive":[33],"literature":[34],"review":[35],"and":[36,51,117,129],"novel":[37],"experimental":[38],"case":[39],"studies,":[40],"we":[41],"identify":[42],"critical":[43],"limitations":[44],"IPF,":[46,125],"such":[47],"as":[48],"information":[49],"leakage":[50],"low":[52],"data":[53],"complexity.":[54],"We":[55],"offer":[56],"in-depth":[59],"critique":[60],"IPF-based":[62,75],"systems,":[64],"highlighting":[65],"their":[66],"real-world":[69],"deployment.":[70],"Our":[71],"results":[72],"demonstrate":[73],"that":[74],"models":[76],"can":[77],"achieve":[78],"deceptively":[79],"high":[80],"rates":[82,91],"(up":[83],"to":[84,93,95],"100%":[85],"some":[87],"cases),":[88],"but":[89],"these":[90],"fail":[92],"generalize":[94],"new":[96],"datasets,":[97],"performance":[99],"dropping":[100],"by":[101],"more":[102],"than":[103,121],"90%":[104],"cross-session":[106],"tests.":[107],"These":[108],"findings":[109],"underscore":[110],"importance":[112],"considering":[114],"interactions":[116],"contextual":[118],"information,":[119],"rather":[120],"relying":[122],"solely":[123],"on":[124],"developing":[127],"robust":[128],"reliable":[130],"systems":[133],"environments.":[136]},"counts_by_year":[{"year":2025,"cited_by_count":9}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-01-04T00:00:00"}