Skip to content

Research at St Andrews

Improving intrusion detection model prediction by threshold adaptation

Research output: Contribution to journalArticle


Open Access permissions



Amjad Mohamed Hamdan Al Tobi, Ishbel Mary Macdonald Duncan

School/Research organisations


Network traffic exhibits a high level of variability over short periods of time. This variability impacts negatively on the accuracy of anomaly-based network intrusion detection systems (IDS) that are built using predictive models in a batch learning setup. This work investigates how adapting the discriminating threshold of model predictions, specifically to the evaluated traffic, improves the detection rates of these intrusion detection models. Specifically, this research studied the adaptability features of three well known machine learning algorithms: C5.0, Random Forest and Support Vector Machine. Each algorithm’s ability to adapt their prediction thresholds was assessed and analysed under different scenarios that simulated real world settings using the prospective sampling approach. Multiple IDS datasets were used for the analysis, including a newly generated dataset (STA2018). This research demonstrated empirically the importance of threshold adaptation in improving the accuracy of detection models when training and evaluation traffic have different statistical properties. Tests were undertaken to analyse the effects of feature selection and data balancing on model accuracy when different significant features in traffic were used. The effects of threshold adaptation on improving accuracy were statistically analysed. Of the three compared algorithms, Random Forest was the most adaptable and had the highest detection rates.


Original languageEnglish
Article number159
Pages (from-to)1-42
Number of pages42
Issue number5
Publication statusPublished - 30 Apr 2019

    Research areas

  • Intrusion Detection System, Anomaly-based IDS, Threshold adaptation, Prediction accuracy improvement, Machine learning, STA2018 dataset, C5.0, Random forest, Support vector machine

Discover related content
Find related publications, people, projects and more using interactive charts.

View graph of relations

Related by author

  1. A novel method to prevent phishing by using OCR technology

    Wang, Y. & Duncan, I. M. M., 31 Oct 2019, 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security). IEEE Computer Society, p. 1-5 5 p. 8885101

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

  2. Human visual based perception of steganographic images

    Fyffe, B., Wang, Y. & Duncan, I., 2019, In : Journal of Cyber Security Technology. 3, 2, p. 61-107 47 p.

    Research output: Contribution to journalArticle

  3. KDD 1999 generation faults: a review and analysis

    Al Tobi, A. M. & Duncan, I., 2018, In : Journal of Cyber Security Technology. 2, 3-4, p. 164-200 37 p.

    Research output: Contribution to journalArticle

  4. Aerial Virtual Reality: Remote Tourism With Drones

    Fabola, A. E., Miller, A. & Duncan, I. M. M., Nov 2017.

    Research output: Contribution to conferencePaper

  5. Aerial Virtual Reality: remote tourism with drones

    Fabola, A. E., Miller, A. H. D. & Duncan, I. M. M., 16 Oct 2017, Journal of Immersive Education: E-iED 2017, Proceedings. Immersive Education Initiative, 13 p.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

ID: 258834046