With the increased use of network technologies like Internet of Things (IoT) in many real-world applications, new types of cyberattacks have been emerging. To safeguard critical infrastructures from these emerging threats, it is crucial to deploy an Intrusion Detection System (IDS) that can detect different types of attacks accurately while minimizing false alarms. Machine learning approaches have been used extensively in IDS and they are mainly using flat multi-class classification to differentiate normal traffic and different types of attacks. Though cyberattack types exhibit a hierarchical structure where similar granular attack subtypes can be grouped into more high-level attack types, hierarchical classification approach has not been explored well. In this paper, we investigate the effectiveness of hierarchical classification approach in IDS. We use a three-level hierarchical classification model to classify various network attacks, where the first level classifies benign or attack, the second level classifies coarse high-level attack types, and the third level classifies a granular level attack types. Our empirical results of using 10 different classification algorithms in 10 different datasets show that there is no significant difference in terms of overall classification performance (i.e., detecting normal and different types of attack correctly) of hierarchical and flat classification approaches. However, flat classification approach misclassify attacks as normal whereas hierarchical approach misclassify one type of attack as another attack type. In other words, the hierarchical classification approach significantly minimises attacks from misclassified as normal traffic, which is more important in critical systems.

翻译：随着物联网等网络技术在诸多实际应用中的广泛部署，新型网络攻击不断涌现。为保护关键基础设施免受这些新兴威胁，部署能够准确检测不同类型攻击并最大限度减少误报的入侵检测系统至关重要。机器学习方法已在入侵检测系统中得到广泛应用，主要采用扁平多分类策略区分正常流量与不同类型攻击。尽管网络攻击类型呈现层次化结构——相似粒度的攻击子类型可归并为更高级别的攻击类型——但层次化分类方法尚未得到充分探索。本文致力于研究层次化分类方法在入侵检测系统中的有效性。我们采用三级层次分类模型对各类网络攻击进行分类：第一级区分正常流量与攻击，第二级识别粗粒度的高级别攻击类型，第三级识别细粒度的具体攻击类型。在10个数据集上使用10种不同分类算法的实证结果表明：层次化分类与扁平分类在整体分类性能（即正确检测正常流量与不同类型攻击的能力）上无显著差异。然而，扁平分类会将攻击误判为正常流量，而层次化分类则会将一种攻击类型误判为另一种攻击类型。换言之，层次化分类方法能显著降低攻击被误判为正常流量的概率——这一能力在关键系统中具有更重要的价值。