Network Intrusion Detection Systems (NIDS) have been extensively investigated by monitoring real network traffic and analyzing suspicious activities. However, there are limitations in detecting specific types of attacks with NIDS, such as Advanced Persistent Threats (APT). Additionally, NIDS is restricted in observing complete traffic information due to encrypted traffic or a lack of authority. To address these limitations, a Host-based Intrusion Detection system (HIDS) evaluates resources in the host, including logs, files, and folders, to identify APT attacks that routinely inject malicious files into victimized nodes. In this study, a hybrid network intrusion detection system that combines NIDS and HIDS is proposed to improve intrusion detection performance. The feature flattening technique is applied to flatten two-dimensional host-based features into one-dimensional vectors, which can be directly used by traditional Machine Learning (ML) models. A two-stage collaborative classifier is introduced that deploys two levels of ML algorithms to identify network intrusions. In the first stage, a binary classifier is used to detect benign samples. All detected attack types undergo a multi-class classifier to reduce the complexity of the original problem and improve the overall detection performance. The proposed method is shown to generalize across two well-known datasets, CICIDS 2018 and NDSec-1. Performance of XGBoost, which represents conventional ML, is evaluated. Combining host and network features enhances attack detection performance (macro average F1 score) by 8.1% under the CICIDS 2018 dataset and 3.7% under the NDSec-1 dataset. Meanwhile, the two-stage collaborative classifier improves detection performance for most single classes, especially for DoS-LOIC-UDP and DoS-SlowHTTPTest, with improvements of 30.7% and 84.3%, respectively, when compared with the traditional ML XGBoost.

翻译：网络入侵检测系统（NIDS）通过监测实时网络流量并分析可疑活动已得到广泛研究。然而，NIDS在检测特定类型攻击（如高级持续性威胁APT）时存在局限性。此外，由于加密流量或缺乏权限，NIDS在获取完整流量信息方面也受到限制。为克服这些局限，基于主机的入侵检测系统（HIDS）通过评估主机内资源（包括日志、文件和文件夹）来识别常向受害节点注入恶意文件的APT攻击。本研究提出一种结合NIDS与HIDS的混合型网络入侵检测系统，以提升入侵检测性能。采用特征扁平化技术将二维主机特征转化为一维向量，使其可直接被传统机器学习（ML）模型使用。引入两阶段协作分类器，通过部署两层ML算法识别网络入侵：第一阶段使用二分类器检测良性样本，所有检测到的攻击类型进入多分类器处理，以降低原始问题复杂度并提升整体检测性能。实验表明，该方法在两个知名数据集CICIDS 2018与NDSec-1上具有良好的泛化能力。评估了代表传统ML的XGBoost性能：结合主机与网络特征后，攻击检测性能（宏平均F1分数）在CICIDS 2018数据集上提升8.1%，在NDSec-1数据集上提升3.7%。同时，相较于传统ML方法XGBoost，两阶段协作分类器在多数单一类别上提升了检测性能，尤其对DoS-LOIC-UDP和DoS-SlowHTTPTest的检测效果分别提升30.7%和84.3%。