pith. sign in

arxiv: 2606.29797 · v1 · pith:IDHK5TMWnew · submitted 2026-06-29 · 💻 cs.CR · cs.AI· cs.LG

Multi-Level Distributional Entropy for Explainable Network Intrusion Detection

Mohamed Aly Bouke , Md Shohel Sayeed , Swee-Huay Heng , Azizol Abdullah , Mohamed Othman This is my paper

Pith reviewed 2026-06-30 05:52 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.LG
keywords network intrusion detectiondistributional entropyflow statisticsJensen-Shannon divergenceexplainable detectionSHAP analysistemporal shift evaluation
0
0 comments X

The pith

Entropy features derived from flow statistics match conventional features in network intrusion detection without performance loss.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes Multi-Level Distributional Entropy to create interpretable features for network intrusion detection using only flow-level summary statistics. These features are calculated at three levels without needing raw packets or training data. They achieve weighted F1 scores from 0.708 to 0.989 across several benchmarks, performing comparably to traditional feature sets. Detailed evaluation using full metrics uncovers cases where high F1 scores mask low detection rates and failures on unseen attack types or under temporal shifts. The approach includes stability analysis via SHAP to show reproducible explanations.

Core claim

Multi-Level Distributional Entropy derives three entropy measures—within-flow Gaussian differential entropy, cross-directional Jensen-Shannon divergence, and TCP flag-pattern Shannon entropy—directly from pre-aggregated flow statistics to provide effective, explainable intrusion detection features that match the performance of conventional statistics-based features.

What carries the argument

The Multi-Level Distributional Entropy framework, which computes Gaussian differential entropy within flows, Jensen-Shannon divergence across directions, and Shannon entropy on TCP flag patterns from flow summaries.

If this is right

  • Entropy-only features achieve weighted F1 scores of 0.708-0.989 matching conventional features on NSL-KDD, CICIDS-2017, CICIDS-2018, and UNSW-NB15.
  • Full operational metrics expose hidden failures such as a detection rate of 0.48 despite F1 of 0.74 on CICIDS-2018.
  • Held-out attack families show F1 above 0.998 but detection rate of zero.
  • Under temporal shift with 703K flows, AUC remains 0.87 but detection rate drops to 0.082 with fixed thresholds.
  • SHAP analysis yields stable attributions with Spearman rho of 0.80-0.95 across folds.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Such features could support deployment in environments where raw packet capture is restricted for privacy reasons.
  • The observed threshold sensitivity suggests that live systems may require ongoing recalibration or adaptive thresholding.
  • Reproducible SHAP values indicate potential for building trust in automated detection decisions.

Load-bearing premise

The three entropy quantities can be derived and remain useful when computed only from pre-aggregated flow-level summary statistics without raw packet sequences or any model training.

What would settle it

A test showing that models using only these entropy features produce substantially lower weighted F1 scores than those using conventional flow statistics on the same benchmarks would falsify the performance-matching claim.

read the original abstract

Machine learning network intrusion detection systems (IDS) rely on aggregate flow statistics that discard distributional structure, while established entropy measures require raw packet sequences unavailable in pre-aggregated flow datasets. We propose Multi-Level Distributional Entropy (MDE), an analytical framework that derives interpretable entropy features directly from flow-level summary statistics at three levels: within-flow Gaussian differential entropy, cross-directional Jensen-Shannon divergence (JSD), and Transmission Control Protocol (TCP) flag-pattern Shannon entropy, without raw packet access or training data. Across four benchmarks (NSL-KDD, CICIDS-2017, CICIDS-2018, UNSW-NB15) under a leakage-free fold-local pipeline, entropy-only features achieve weighted F1 of 0.708-0.989, matching conventional features without degrading performance. Full operational metric reporting then exposes failure modes that aggregate F1 conceals. On CICIDS-2018, F1=0.74 hides a detection rate (DR) of 0.48, and on held-out attack families F1 exceeds 0.998 while DR falls to zero. Under temporal shift, a pseudo-live replay of 703K flows reveals a threshold-ranking divergence in which score ranking is preserved (AUC=0.87) but fixed thresholds collapse (DR=0.082) and recalibration offers no recovery. SHapley Additive exPlanations (SHAP) fold-stability analysis (Spearman rho=0.80-0.95) confirms that entropy attributions are reproducible and domain-coherent across heterogeneous environments.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. The manuscript proposes Multi-Level Distributional Entropy (MDE), an analytical framework deriving three entropy features—within-flow Gaussian differential entropy, cross-directional Jensen-Shannon divergence (JSD), and TCP flag-pattern Shannon entropy—directly from pre-aggregated flow-level summary statistics without raw packet access or training. On NSL-KDD, CICIDS-2017, CICIDS-2018 and UNSW-NB15 under leakage-free evaluation, entropy-only features yield weighted F1 scores of 0.708–0.989 that match conventional feature sets; detailed operational metrics expose hidden failure modes (e.g., F1 = 0.74 but DR = 0.48 on CICIDS-2018; F1 > 0.998 but DR = 0 on held-out families) and temporal-shift degradation (AUC = 0.87 yet DR = 0.082 under fixed thresholds). SHAP fold-stability analysis (Spearman ρ = 0.80–0.95) is used to argue reproducibility and domain coherence.

Significance. If the three entropy quantities can be rigorously derived from standard NetFlow-style aggregates, the work supplies a parameter-free, training-free feature set that is both competitive and interpretable, together with a clear demonstration that aggregate F1 conceals operational failure modes. The emphasis on full metric suites and cross-environment SHAP stability constitutes a constructive contribution to explainable IDS evaluation.

major comments (1)
  1. [§3] §3 (Methods), derivation of within-flow Gaussian differential entropy and cross-directional JSD: the central claim that these quantities are computable from typical flow-summary fields (duration, packet/byte counts, flags) alone is load-bearing. Explicit formulas must be supplied showing how the Gaussian assumption is instantiated and how the directional distributions for JSD are obtained without per-packet sequences or synthetic reconstruction; absent these steps the reported F1 numbers rest on an unverified construction.
minor comments (2)
  1. [§4.2] §4.2, CICIDS-2018 results: the statement that F1 = 0.74 conceals DR = 0.48 should be accompanied by the exact definition of DR (e.g., recall at the operating threshold chosen on the validation fold) to allow direct replication.
  2. [Figure 3] Figure 3 / temporal-shift experiment: the pseudo-live replay of 703 K flows should state whether the threshold is fixed from the training fold or re-tuned on a validation window, as this choice directly affects the reported collapse in DR.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive comment on §3. We agree that explicit formulas are required to substantiate the central claim and will add them in revision.

read point-by-point responses

  1. Referee: [§3] §3 (Methods), derivation of within-flow Gaussian differential entropy and cross-directional JSD: the central claim that these quantities are computable from typical flow-summary fields (duration, packet/byte counts, flags) alone is load-bearing. Explicit formulas must be supplied showing how the Gaussian assumption is instantiated and how the directional distributions for JSD are obtained without per-packet sequences or synthetic reconstruction; absent these steps the reported F1 numbers rest on an unverified construction.

    Authors: We agree the derivations must be made fully explicit. In the revised manuscript we will insert the precise formulas in §3: within-flow Gaussian differential entropy is instantiated by estimating μ = total_bytes / packet_count and σ² from duration and count statistics under the Gaussian model for packet sizes, then applying h(X) = ½ log(2πeσ²); cross-directional JSD is obtained by constructing two discrete distributions over normalized forward and backward packet/byte counts directly from the directional fields present in standard flow records (no per-packet sequences or reconstruction required) and computing the Jensen-Shannon divergence between them. These steps were used to produce the reported results; adding the formulas will not alter any numbers or conclusions. revision: yes

Circularity Check

0 steps flagged

No significant circularity; claims rest on empirical evaluation rather than self-referential derivations.

full rationale

The paper introduces three entropy features (within-flow Gaussian differential entropy, cross-directional JSD, TCP flag-pattern Shannon entropy) computed from flow-level summaries and reports their performance via weighted F1, DR, AUC, and SHAP on four public benchmarks under leakage-free splits. No equations, fitted parameters, or self-citations are shown that reduce any claimed result to its own inputs by construction. The central assertions are comparative empirical outcomes, not derivations that loop back to the input statistics or prior author work. This matches the default non-circular case for an empirical feature-engineering study.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review yields no explicit free parameters, axioms, or invented entities; the framework implicitly assumes Gaussianity for within-flow entropy and applicability of JSD and flag-pattern entropy to summary statistics, but these cannot be audited without the full text.

pith-pipeline@v0.9.1-grok · 5832 in / 1247 out tokens · 28366 ms · 2026-06-30T05:52:57.136142+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

48 extracted references · 34 canonical work pages · 1 internal anchor

  1. [1]

    Survey of intrusion detection systems: Techniques, datasets and challenges,

    A. Khraisat, I. Gondal, P. Vamplew, and J. Kamruzza- man, “Survey of intrusion detection systems: Techniques, datasets and challenges,”Cybersecurity, vol. 2, no. 1, p. 20, 2019.DOI:10.1186/s42400-019-0038-7

    work page doi:10.1186/s42400-019-0038-7 2019

  2. [2]

    A survey of network-based intrusion detection data sets,

    M. Ring, S. Wunderlich, D. Scheuring, D. Landes, and A. Hotho, “A survey of network-based intrusion detection data sets,”Computers & Security, vol. 86, pp. 147–167, 2019.DOI:10.1016/j.cose.2019.06.005

    work page doi:10.1016/j.cose.2019.06.005 2019

  3. [3]

    Entropy mixing networks: Enhancing pseudorandom number gen- erators with lightweight dynamic entropy injection,

    M. A. Bouke, O. I. Alramli, and A. Abdullah, “Entropy mixing networks: Enhancing pseudorandom number gen- erators with lightweight dynamic entropy injection,”Jour- nal of Security and Privacy, vol. 9, no. 1, e70172, 2026. DOI:10.1002/spy2.70172

    work page doi:10.1002/spy2.70172 2026

  4. [4]

    Approximate entropy as a measure of sys- tem complexity,

    S. M. Pincus, “Approximate entropy as a measure of sys- tem complexity,”Proceedings of the National Academy of Sciences USA, vol. 88, no. 6, pp. 2297–2301, 1991. DOI:10.1073/pnas.88.6.2297

    work page doi:10.1073/pnas.88.6.2297 1991

  5. [5]

    Physiological time- series analysis using approximate entropy and sample entropy,

    J. S. Richman and J. R. Moorman, “Physiological time- series analysis using approximate entropy and sample entropy,”American Journal of Physiology: Heart and Circulatory Physiology, vol. 278, no. 6, H2039–H2049, 2000.DOI: 10 . 1152 / ajpheart . 2000 . 278 . 6 . H2039

    2000

  6. [6]

    A detailed analysis of the KDD CUP 99 data set,

    M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, “A detailed analysis of the KDD CUP 99 data set,” inPro- ceedings of the 2nd IEEE Symposium on Computational Intelligence for Security and Defence Applications, 2009, pp. 1–6.DOI:10.1109/CISDA.2009.5356528

    work page doi:10.1109/cisda.2009.5356528 2009

  7. [7]

    To- ward generating a new intrusion detection dataset and intrusion traffic characterization,

    I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “To- ward generating a new intrusion detection dataset and intrusion traffic characterization,” inProceedings of the 4th International Conference on Information Systems Se- curity and Privacy, 2018, pp. 108–116.DOI: 10.5220/ 0006639801080116

    2018

  8. [8]

    UNSW-NB15: A comprehen- sive data set for network intrusion detection systems,

    N. Moustafa and J. Slay, “UNSW-NB15: A comprehen- sive data set for network intrusion detection systems,” inProceedings of the Military Communications and In- formation Systems Conference, 2015, pp. 1–6.DOI: 10. 1109/MilCIS.2015.7348942

    work page arXiv 2015

  9. [9]

    XAIRF- WFP: A novel XAI-based random forest classifier for advanced email spam detection,

    M. A. Bouke, O. I. Alramli, and A. Abdullah, “XAIRF- WFP: A novel XAI-based random forest classifier for advanced email spam detection,”International Journal of Information Security, vol. 24, no. 1, p. 5, 2025.DOI: 10.1007/s10207-024-00920-1

    work page doi:10.1007/s10207-024-00920-1 2025

  10. [10]

    A novel LightGBM model for Arabic spam detection integrated with XAI for enhanced explain- ability,

    M. A. Bouke et al., “A novel LightGBM model for Arabic spam detection integrated with XAI for enhanced explain- ability,”Computers and Electrical Engineering, vol. 133, p. 111 032, 2026.DOI: 10.1016/j.compeleceng. 2026.111032

    work page doi:10.1016/j.compeleceng 2026

  11. [11]

    A unified approach to interpreting model predictions,

    S. M. Lundberg and S. -I. Lee, “A unified approach to interpreting model predictions,” inAdvances in Neural Information Processing Systems, vol. 30, 2017, pp. 4766– 4777

    2017

  12. [12]

    Consistent Individualized Feature Attribution for Tree Ensembles

    S. M. Lundberg, G. G. Erion, and S.-I. Lee, “Consistent individualized feature attribution for tree ensembles,” in arXiv preprint arXiv:1802.03888, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  13. [13]

    Troubleshooting an intrusion detection dataset: The CICIDS2017 case study,

    G. Engelen, V . Rimmer, and W. Joosen, “Troubleshooting an intrusion detection dataset: The CICIDS2017 case study,”IEEE Security & Privacy, vol. 19, no. 4, pp. 26– 35, 2021.DOI:10.1109/MSEC.2021.3068460

    work page doi:10.1109/msec.2021.3068460 2021

  14. [14]

    A survey on intrusion de- tection system: Feature selection, model, performance measures, application perspective, challenges, and fu- ture research directions,

    A. Thakkar and R. Lohiya, “A survey on intrusion de- tection system: Feature selection, model, performance measures, application perspective, challenges, and fu- ture research directions,”Artificial Intelligence Review, vol. 55, pp. 453–563, 2022.DOI: 10.1007/s10462- 021-10037-9

    work page doi:10.1007/s10462- 2022

  15. [15]

    A systematic literature review for network intru- sion detection system (IDS),

    O. H. Abdulganiyu, T. A. Tchakoucht, and Y . K. Sa- heed, “A systematic literature review for network intru- sion detection system (IDS),”International Journal of Information Security, vol. 22, pp. 1125–1162, 2023.DOI: 10.1007/s10207-023-00682-2

    work page doi:10.1007/s10207-023-00682-2 2023

  16. [16]

    RTIDS: A robust transformer-based approach for intrusion detection system,

    P. Wu and H. Guo, “RTIDS: A robust transformer-based approach for intrusion detection system,”IEEE Access, vol. 10, pp. 65 259–65 270, 2022.DOI: 10 . 1109 / ACCESS.2022.3184120

    work page arXiv 2022

  17. [17]

    Transformers and large language mod- els for efficient intrusion detection systems: A compre- hensive survey,

    H. Kheddar et al., “Transformers and large language mod- els for efficient intrusion detection systems: A compre- hensive survey,”Information Fusion, vol. 124, p. 102 820, 2025.DOI:10.1016/j.inffus.2025.102820

    work page doi:10.1016/j.inffus.2025.102820 2025

  18. [18]

    A survey on graph neural networks for intrusion detection systems: Methods, trends and challenges,

    Z. Zhong, S. Chen, J. Qiu, et al., “A survey on graph neural networks for intrusion detection systems: Methods, trends and challenges,”Computers & Security, vol. 141, p. 103 821, 2024.DOI: 10 . 1016 / j . cose . 2024 . 103821

    2024

  19. [19]

    Federated learning in intrusion detection: Advancements, applications, and future direc- Page 18 of 20 Research Article Bouke et al., 2026. tions,

    O. E. Buyuktanir et al., “Federated learning in intrusion detection: Advancements, applications, and future direc- Page 18 of 20 Research Article Bouke et al., 2026. tions,”Cluster Computing, vol. 28, p. 473, 2025.DOI: 10.1007/s10586-025-05325-w

    work page doi:10.1007/s10586-025-05325-w 2026

  20. [20]

    Sok: The impact of unlabelled data in cyberthreat detection,

    G. Apruzzese, P. Laskov, and J. Schneider, “Sok: The impact of unlabelled data in cyberthreat detection,”IEEE Security & Privacy, vol. 21, no. 5, pp. 52–61, 2023.DOI: 10.1109/MSEC.2022.3165612

    work page doi:10.1109/msec.2022.3165612 2023

  21. [21]

    An in-depth experimen- tal study of anomaly detection using gradient boosted machine,

    B. A. Tama and K. -H. Rhee, “An in-depth experimen- tal study of anomaly detection using gradient boosted machine,”Neural Computing and Applications, vol. 31, pp. 955–965, 2019.DOI: 10.1007/s00521- 017- 3128-z

    work page doi:10.1007/s00521- 2019

  22. [22]

    Intrusion detection using big data and deep learning techniques,

    O. Faker and E. Dogdu, “Intrusion detection using big data and deep learning techniques,”Proceedings of the 2019 ACM Southeast Conference, pp. 86–93, 2019.DOI: 10.1145/3299815.3314439

    work page doi:10.1145/3299815.3314439 2019

  23. [23]

    Netflow datasets for machine learning-based network in- trusion detection systems,

    M. Sarhan, S. Layeghy, N. Moustafa, and M. Portmann, “Netflow datasets for machine learning-based network in- trusion detection systems,” inProceedings of the 10th In- ternational Conference on Big Data Technologies, 2021, pp. 9–21.DOI: 10.1007/978-3-030-96566-2_2

    work page doi:10.1007/978-3-030-96566-2_2 2021

  24. [24]

    An evaluation framework for network in- trusion detection datasets: Leveraging MITRE ATT&CK and industry relevance metrics,

    A. Tori et al., “An evaluation framework for network in- trusion detection datasets: Leveraging MITRE ATT&CK and industry relevance metrics,”Computers & Security, p. 104 663, 2025.DOI: 10 . 1016 / j . cose . 2025 . 104663

    2025

  25. [25]

    Entropy based worm and anomaly detection in fast IP networks,

    A. Wagner and B. Plattner, “Entropy based worm and anomaly detection in fast IP networks,” inProceedings of the 14th IEEE International Workshops on Enabling Tech- nologies, 2005, pp. 172–177.DOI: 10.1109/WETICE. 2005.35

    work page doi:10.1109/wetice 2005

  26. [26]

    An empirical evaluation of entropy-based traf- fic anomaly detection,

    G. Nychis, V . Sekar, D. G. Andersen, H. Kim, and H. Zhang, “An empirical evaluation of entropy-based traf- fic anomaly detection,” inProceedings of the 8th ACM SIGCOMM Conference on Internet Measurement, 2008, pp. 151–156.DOI:10.1145/1452520.1452539

    work page doi:10.1145/1452520.1452539 2008

  27. [27]

    Profiling internet backbone traffic: Behavior models and appli- cations,

    K. Xu, Z. -L. Zhang, and S. Bhattacharyya, “Profiling internet backbone traffic: Behavior models and appli- cations,” inProceedings of ACM SIGCOMM, 2005, pp. 169–180.DOI:10.1145/1080091.1080112

    work page doi:10.1145/1080091.1080112 2005

  28. [28]

    Characterising payload entropy in packet flows: Baseline entropy analysis for network anomaly detection,

    A. Kenyon et al., “Characterising payload entropy in packet flows: Baseline entropy analysis for network anomaly detection,”Future Internet, vol. 16, no. 12, p. 470, 2024.DOI:10.3390/fi16120470

    work page doi:10.3390/fi16120470 2024

  29. [29]

    Renyi entropy-driven network traffic anomaly detection with dynamic threshold,

    X. Yu et al., “Renyi entropy-driven network traffic anomaly detection with dynamic threshold,”Cyberse- curity, vol. 7, p. 64, 2024.DOI: 10.1186/s42400- 024-00249-1

    work page doi:10.1186/s42400- 2024

  30. [30]

    Explainable artificial intelligence (XAI) to enhance trust management in intrusion detection systems using deci- sion tree model,

    B. Mahbooba, M. Timilsina, R. Sahal, and M. Serrano, “Explainable artificial intelligence (XAI) to enhance trust management in intrusion detection systems using deci- sion tree model,”Complexity, vol. 2021, p. 6 634 811, 2021.DOI:10.1155/2021/6634811

    work page doi:10.1155/2021/6634811 2021

  31. [31]

    Designing an efficient security framework for detecting intrusions in virtual network of cloud computing,

    R. Patil, G. Dudeja, and C. Modi, “Designing an efficient security framework for detecting intrusions in virtual network of cloud computing,”Computers & Security, vol. 113, p. 102 537, 2022.DOI: 10.1016/j.cose. 2021.102537

    work page doi:10.1016/j.cose 2022

  32. [32]

    Explainable AI-based intrusion de- tection systems for Industry 5.0 and adversarial XAI: A systematic review,

    S. U. Khan et al., “Explainable AI-based intrusion de- tection systems for Industry 5.0 and adversarial XAI: A systematic review,”Information, vol. 16, no. 12, p. 1036, 2025.DOI:10.3390/info16121036

    work page doi:10.3390/info16121036 2025

  33. [33]

    Application of BukaGini algorithm for enhanced feature interaction analysis in intrusion de- tection systems,

    M. A. Bouke et al., “Application of BukaGini algorithm for enhanced feature interaction analysis in intrusion de- tection systems,”PeerJ Computer Science, vol. 10, e2043, 2024.DOI:10.7717/peerj-cs.2043

    work page doi:10.7717/peerj-cs.2043 2024

  34. [34]

    A mathematical theory of communica- tion,

    C. E. Shannon, “A mathematical theory of communica- tion,”The Bell System Technical Journal, vol. 27, no. 3, pp. 379–423, 1948.DOI: 10.1002/j.1538-7305. 1948.tb01338.x

    work page doi:10.1002/j.1538-7305 1948

  35. [35]

    Elements of informa- tion theory,

    T. M. Cover and J. A. Thomas, “Elements of informa- tion theory,”Wiley-Interscience, 1991.DOI: 10.1002/ 047174882X

    1991

  36. [36]

    Divergence measures based on the Shannon en- tropy,

    J. Lin, “Divergence measures based on the Shannon en- tropy,”IEEE Transactions on Information Theory, vol. 37, no. 1, pp. 145–151, 1991.DOI:10.1109/18.61115

    work page doi:10.1109/18.61115 1991

  37. [37]

    LightGBM: A highly efficient gradient boosting decision tree,

    G. Ke et al., “LightGBM: A highly efficient gradient boosting decision tree,” inAdvances in Neural Informa- tion Processing Systems, vol. 30, 2017, pp. 3149–3157

    2017

  38. [38]

    Random forests,

    L. Breiman, “Random forests,”Machine Learning, vol. 45, no. 1, pp. 5–32, 2001.DOI: 10 . 1023 / A : 1010933404324

    2001

  39. [39]

    The advantages of the Matthews correlation coefficient (MCC) over F1 score and accuracy in binary classification evaluation,

    D. Chicco and G. Jurman, “The advantages of the Matthews correlation coefficient (MCC) over F1 score and accuracy in binary classification evaluation,”BMC Genomics, vol. 21, no. 1, p. 6, 2020.DOI: 10.1186/ s12864-019-6413-7

    2020

  40. [40]

    Fawcett, An introduction to ROC analysis, Pattern recognition letters, 27 (2006) 861– 874

    T. Fawcett, “An introduction to ROC analysis,”Pattern Recognition Letters, vol. 27, no. 8, pp. 861–874, 2006. DOI:10.1016/j.patrec.2005.10.010

    work page doi:10.1016/j.patrec.2005.10.010 2006

  41. [41]

    UK Biobank: An Open Access Resource for Identifying the Causes of a Wide Range of Complex Diseases of Middle and Old Age.PLOS Medicine, 12(3):e1001779, March 2015

    T. Saito and M. Rehmsmeier, “The precision-recall plot is more informative than the ROC plot when evaluating binary classifiers on imbalanced datasets,” inPLOS ONE, vol. 10, 2015, e0118432.DOI: 10.1371/journal. pone.0118432

    work page doi:10.1371/journal 2015

  42. [42]

    Biometrics Bulletin 1, 80–83

    F. Wilcoxon, “Individual comparisons by ranking meth- ods,”Biometrics Bulletin, vol. 1, no. 6, pp. 80–83, 1945. DOI:10.2307/3001968

    work page doi:10.2307/3001968 1945

  43. [43]

    CatBoost: Unbiased boosting with categorical features,

    L. Prokhorenkova, G. Gusev, A. V orobev, A. V . Doro- gush, and A. Gulin, “CatBoost: Unbiased boosting with categorical features,” inAdvances in Neural Information Processing Systems (NeurIPS), vol. 31, 2018

    2018

  44. [44]

    TabNet: Attentive interpretable tabular learning,

    S. Ö. Arik and T. Pfister, “TabNet: Attentive interpretable tabular learning,” inProceedings of the AAAI Conference on Artificial Intelligence, vol. 35, 2021, pp. 6679–6687

    2021

  45. [45]

    Revisiting deep learning models for tabular data,

    Y . Gorishniy, I. Rubachev, V . Khrulkov, and A. Babenko, “Revisiting deep learning models for tabular data,” in Advances in Neural Information Processing Systems (NeurIPS), vol. 34, 2021, pp. 18 932–18 943

    2021

  46. [46]

    Why tree- based models still outperform deep learning on tabular data,

    L. Grinsztajn, E. Oyallon, and G. Varoquaux, “Why tree- based models still outperform deep learning on tabular data,” inAdvances in Neural Information Processing Systems (NeurIPS), vol. 35, 2022, pp. 507–520

    2022

  47. [47]

    Machine learning and deep learn- ing methods for intrusion detection systems: A survey,

    H. Liu and B. Lang, “Machine learning and deep learn- ing methods for intrusion detection systems: A survey,” Applied Sciences, vol. 9, no. 20, p. 4396, 2019.DOI: 10.3390/app9204396

    work page doi:10.3390/app9204396 2019

  48. [48]

    A deep learning method with wrapper based feature extraction for wireless intru- Page 19 of 20 Research Article Bouke et al., 2026. sion detection system,

    S. M. Kasongo and Y . Sun, “A deep learning method with wrapper based feature extraction for wireless intru- Page 19 of 20 Research Article Bouke et al., 2026. sion detection system,”Computers & Security, vol. 92, p. 101 752, 2020.DOI: 10 . 1016 / j . cose . 2020 . 101752 Page 20 of 20

    2026