pith. sign in

arxiv: 2606.09934 · v1 · pith:WJATLNKMnew · submitted 2026-06-07 · 💻 cs.LG · cs.CR

nCMD: Benign-Anchored Feature Selection for Imbalanced Network Intrusion Detection

Pith reviewed 2026-06-27 18:39 UTC · model grok-4.3

classification 💻 cs.LG cs.CR
keywords feature selectionnetwork intrusion detectionimbalanced databenign-anchored rankingclasswise mean deviationNIDS preprocessingfilter methods
0
0 comments X

The pith

Anchoring feature scores to the benign-class mean improves detection of attacks in highly imbalanced network traffic.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces nCMD, a filter that ranks features by how far attack-class values stray from the mean of the dominant benign class. Traditional symmetric filters average across all classes and therefore under-weight features that mark rare deviations. The authors test the method on four standard NIDS benchmarks, several feature budgets, and three classifiers, reporting that it matches or exceeds the baselines in macro F1 and wins outright on three of the four sets. The gain is largest when only a few features are kept or when imbalance is extreme. Because the computation is no heavier than existing filters, the approach is presented as a drop-in replacement for resource-constrained detectors.

Core claim

nCMD scores each feature by the classwise mean deviation of the attack distributions from the benign-class mean, rather than from a global or symmetric reference. This produces rankings aligned with the operational reality that attacks are deviations from dominant normal traffic. On CICIDS2017, CICDDoS2019, NSL-KDD and UNSW-NB15, across multiple budgets and three downstream classifiers, the resulting subsets deliver macro-averaged F1 scores that equal or surpass those of classical filter baselines, with the largest margins under tight budgets and severe imbalance.

What carries the argument

benign-anchored Classwise Mean Deviation (nCMD), which computes feature relevance as the deviation of attack-class distributions from the benign-class mean

If this is right

  • The method equals or exceeds classical filters on three of four benchmarks under every tested classifier.
  • Improvements are largest when feature budgets are small and class imbalance is severe.
  • No extra computation is required beyond standard filter ranking.
  • The rankings remain interpretable because each score directly quantifies deviation from normal traffic.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same anchoring idea could be tried in other anomaly-detection domains where one class overwhelmingly dominates.
  • Live deployment would require checking whether the benign mean drifts over time and how often it must be recomputed.
  • Pairing nCMD with a lightweight wrapper stage might further improve results for a chosen classifier.

Load-bearing premise

Deviation of attack classes from the benign mean is the right reference for measuring feature usefulness in real NIDS traffic.

What would settle it

A new collection of imbalanced network traces on which nCMD produces lower macro F1 than the strongest classical filter, under the same budgets and classifiers, would falsify the performance claim.

Figures

Figures reproduced from arXiv: 2606.09934 by Abu Fuad Ahmad, Istiaque Ahmed.

Figure 1
Figure 1. Figure 1: Macro-averaged F1-score across feature subset sizes ( [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
read the original abstract

Feature selection is critical for network intrusion detection systems (NIDS) operating under high-dimensional, highly imbalanced traffic, as found in operational and defense networks. Traditional filter methods rank features using global statistics computed symmetrically across classes and thus fail to capture the asymmetry of intrusion detection, where attacks are best characterized as deviations from dominant benign traffic. We propose benign-anchored Classwise Mean Deviation (nCMD), a lightweight and interpretable method that scores feature relevance based on the deviation of attack-class distributions from the benign-class mean, rather than a globally biased reference. This approach aligns feature selection with the operational semantics of NIDS at no additional computational cost. Across four benchmark datasets (CICIDS2017, CICDDoS2019, NSL-KDD, and UNSW-NB15), multiple feature budgets, and three downstream classifiers, nCMD matches or exceeds classical filter baselines in macro-averaged F1-score. It achieves the best result on three of the four datasets and under every classifier, with the strongest improvements observed under tight feature budgets and severe class imbalance. These results support benign-anchored ranking as a scalable and interpretable preprocessing component for resource-constrained NIDS.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The paper proposes benign-anchored Classwise Mean Deviation (nCMD), a lightweight feature selection method that ranks features by the deviation of attack-class distributions from the benign-class mean rather than symmetric global statistics. It evaluates the approach on four benchmark datasets (CICIDS2017, CICDDoS2019, NSL-KDD, UNSW-NB15) across multiple feature budgets and three downstream classifiers, claiming that nCMD matches or exceeds classical filter baselines in macro-averaged F1-score and achieves the best result on three of the four datasets under every classifier, with strongest gains under tight budgets and severe imbalance.

Significance. If the empirical results hold under rigorous verification, the work supplies a simple, interpretable, and zero-extra-cost preprocessing step explicitly aligned with the operational asymmetry of NIDS (benign-dominant traffic). This could be a practical addition to resource-constrained intrusion detection pipelines and illustrates the value of class-specific anchoring over symmetric filters in imbalanced settings.

major comments (1)
  1. [Evaluation] Evaluation section: the central claim of consistent superiority in macro F1 is presented without statistical significance tests, error bars, explicit dataset splits, or a description of how class imbalance was handled during train/test partitioning and scoring; these omissions prevent independent verification of the reported performance edge.
minor comments (1)
  1. [Abstract] Abstract: the acronym nCMD is used in the title and text without an immediate parenthetical expansion or the explicit scoring formula.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the positive assessment of the work's potential contribution and for the constructive comment on evaluation rigor. We address the single major comment point-by-point below.

read point-by-point responses
  1. Referee: [Evaluation] Evaluation section: the central claim of consistent superiority in macro F1 is presented without statistical significance tests, error bars, explicit dataset splits, or a description of how class imbalance was handled during train/test partitioning and scoring; these omissions prevent independent verification of the reported performance edge.

    Authors: We agree that the original manuscript omitted explicit details on these aspects, which limits independent verification. In the revised version we will: (1) state the exact train/test split ratios and confirm the use of stratified partitioning to preserve class proportions; (2) clarify that no resampling was performed and that macro F1 was chosen precisely to evaluate performance under imbalance; (3) add statistical significance testing (Wilcoxon signed-rank tests across the four datasets for each classifier and budget) together with error bars obtained from five independent random seeds. These additions will be placed in a new subsection of the evaluation and will not alter the core claims or computational profile of nCMD. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper defines nCMD directly from class means (benign as anchor) and evaluates the resulting feature rankings on four external public benchmark datasets using standard classifiers and F1 metrics. No equations, fitted parameters renamed as predictions, self-citations, or uniqueness theorems appear in the provided text. The derivation chain is a straightforward definition plus empirical comparison with no reduction of outputs to inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that benchmark datasets represent operational conditions and that benign anchoring aligns with NIDS semantics; no free parameters or invented entities are described in the abstract.

axioms (1)
  • domain assumption The four benchmark datasets (CICIDS2017, CICDDoS2019, NSL-KDD, UNSW-NB15) are representative of real-world imbalanced NIDS traffic
    Evaluation results are used to support claims of practical utility.

pith-pipeline@v0.9.1-grok · 5741 in / 1219 out tokens · 27282 ms · 2026-06-27T18:39:21.336944+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

20 extracted references · 1 canonical work pages

  1. [1]

    Toward generating a new intrusion detection dataset and intrusion traffic characterization,

    I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward generating a new intrusion detection dataset and intrusion traffic characterization,” inInternational Conference on Information Systems Security and Privacy, 2018, canadian Institute for Cybersecurity. [Online]. Available: https://api.semanticscholar.org/CorpusID:4707749

  2. [2]

    Devel- oping realistic distributed denial of service (ddos) attack dataset and taxonomy,

    I. Sharafaldin, A. Habibi Lashkari, I. Sahib, and A. Ghorbani, “Devel- oping realistic distributed denial of service (ddos) attack dataset and taxonomy,” inIEEE 53rd International Carnahan Conference on Secu- rity Technology, Chennai, India., 10 2019, pp. 1–8, canadian Institute for Cybersecurity

  3. [3]

    Outside the closed world: On using machine learning for network intrusion detection,

    R. Sommer and V . Paxson, “Outside the closed world: On using machine learning for network intrusion detection,” inIEEE Symposium on Security and Privacy, 2010

  4. [4]

    Learning from imbalanced data,

    H. He and E. A. Garcia, “Learning from imbalanced data,”IEEE Transactions on Knowledge and Data Engineering, vol. 21, no. 9, pp. 1263–1284, 2009

  5. [5]

    A survey of data mining and machine learning methods for cyber security intrusion detection,

    A. L. Buczak and E. Guven, “A survey of data mining and machine learning methods for cyber security intrusion detection,”IEEE Commu- nications Surveys & Tutorials, 2016

  6. [6]

    Feature selection: A data perspective,

    J. Li, K. Cheng, S. Wang, F. Morstatter, R. P. Trevino, J. Tang, and H. Liu, “Feature selection: A data perspective,”ACM Computing Surveys (CSUR), vol. 50, no. 6, p. 94, 2018

  7. [7]

    On the scalability of feature selection methods on high-dimensional data,

    V . Bol ´on-Canedo, D. Rego-Fern ´andez, D. Peteiro-Barral, A. Alonso- Betanzos, B. Guijarro-Berdi ˜nas, and N. S ´anchez-Maro˜no, “On the scalability of feature selection methods on high-dimensional data,”Knowledge and Information Systems, vol. 56, pp. 395– 442, 2018. [Online]. Available: https://link.springer.com/article/10. 1007/s10115-017-1140-3

  8. [8]

    A survey of network-based intrusion detection data sets,

    M. Ring, S. Wunderlich, D. Gr ¨undl, D. Landes, and A. Hotho, “A survey of network-based intrusion detection data sets,”Computers & Security, 2019

  9. [9]

    A review of feature selection methods based on mutual information,

    J. R. Vergara and P. A. Est ´evez, “A review of feature selection methods based on mutual information,”Neural Computing and Applications, vol. 24, pp. 175–186, 2014

  10. [10]

    Generalized fisher score for feature selection,

    Q. Gu, Z. Li, and J. Han, “Generalized fisher score for feature selection,” arXiv preprint arXiv:1202.3725, 2012

  11. [11]

    Correlation-based feature selection for machine learning,

    M. A. Hall, “Correlation-based feature selection for machine learning,” Ph.D. dissertation, University of Waikato, 1999. [Online]. Available: https://www.lri.fr/ ∼pierres/donnees/save/these/ articles/lpr-queue/hall99correlationbased.pdf

  12. [12]

    Feature selection based on mutual information: Criteria of max-dependency, max-relevance, and min- redundancy,

    H. Peng, F. Long, and C. Ding, “Feature selection based on mutual information: Criteria of max-dependency, max-relevance, and min- redundancy,”IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 27, no. 8, pp. 1226–1238, 2005

  13. [13]

    Feature se- lection via class-wise mean deviation,

    A. F. Ahmad, J. Liu, Q. Gong, S. Misra, and J. Harikumar, “Feature se- lection via class-wise mean deviation,” in2025 International Conference on Machine Learning and Applications (ICMLA), 2025, pp. 698–703

  14. [14]

    A detailed analysis of the kdd cup 99 data set,

    M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, “A detailed analysis of the kdd cup 99 data set,” in2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, 2009, pp. 1–6

  15. [15]

    UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set),

    N. Moustafa and J. Slay, “UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set),” in2015 Military Communications and Information Systems Conference (MilCIS). IEEE, 2015, pp. 1–6

  16. [16]

    Feature selection for network intrusion detection,

    C. Westphal, S. Hailes, and M. Musolesi, “Feature selection for network intrusion detection,” inProceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining V .1, ser. KDD ’25. Association for Computing Machinery, 2025, p. 1599–1610. [Online]. Available: https://doi.org/10.1145/3690624.3709339

  17. [17]

    Variancethreshold — scikit-learn 1.7.0 documentation,

    Scikit-learn, “Variancethreshold — scikit-learn 1.7.0 documentation,” 2025, https://scikit-learn.org/stable/modules/generated/sklearn.feature selection.VarianceThreshold.html

  18. [18]

    Pearson correlation-based feature selection for document classification using balanced training,

    I. M. Nasir, M. A. Khan, M. Yasmin, J. H. Shah, M. Gabryel, R. Scherer, and R. Dama ˇseviˇcius, “Pearson correlation-based feature selection for document classification using balanced training,”Sensors, vol. 20, no. 23, p. 6793, 2020. [Online]. Available: https://www.mdpi. com/1424-8220/20/23/6793

  19. [19]

    Feature selection via mutual information: New theoretical insights,

    M. Beraha, A. M. Metelli, M. Papini, A. Tirinzoni, and M. Restelli, “Feature selection via mutual information: New theoretical insights,” arXiv preprint arXiv:1907.07384, 2019

  20. [20]

    Scikit-learn: Machine learning in python,

    F. Pedregosa, G. Varoquaux, A. Gramfort, V . Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V . Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duchesnay, “Scikit-learn: Machine learning in python,” pp. 2825–2830, 2011. [Online]. Available: https://scikit-learn.org