HYBRID METHOD FOR DETECTING MALICIOUS ACTIVITY BASED ON STACKING ENSEMBLE OF CLASSIFIERS

Abstract

The article presents a hybrid method for detecting malicious activity in information systems of organizations, developed
on the basis of an ensemble approach using stacking. The proposed architecture combines classical machine learning algorithms
(SVM, Random Forest, kNN) and modern high-performance boosting models (XGBoost, LightGBM, CatBoost), while the role
of meta-classifiers is performed by logistic regression, XGBoost, Gradient Boosting and Random Forest. This approach provides
an integration of the strengths of different methods, which allows to significantly increase the classification accuracy, noise
resistance and generalization ability of the system. Particular attention is paid to data preprocessing, which includes the removal
of irrelevant features, normalization of numerical characteristics, balancing class disparity using the SMOTE algorithm,
dimensionality reduction using PCA and temporal feature engineering. The use of these methods allowed to reduce the risk of
overfitting, accelerate calculations and preserve the informativeness of key traffic characteristics. To select the optimal models,
two methods were used: building a Pareto front and heuristic filtering by the average values of the metrics, which made it
possible to ensure a balanced ratio between accuracy, F1-measure and speed. Experimental verification of the proposed approach
was carried out on one of the most representative datasets in the field of cybersecurity - CSE-CIC-IDS2018. The results obtained
showed that the accuracy was achieved at the level of 98.07%, F1-measure 96.57% and average prediction time 7.16 ms, which
meets modern requirements for IDSs capable of operating under high load conditions in real time. The proposed system
demonstrated better efficiency compared to single models, which confirms the feasibility of using hybrid ensemble methods in
cyber security tasks.
Keywords: threats, intrusion detection, hybrid classification, stacking, cybersecurity, cyber defense, machine learning,
models, malicious activity.

References
1. Гайдур,Г. І., Гахов,С. О., Гамза,Д. Є.(2024). Модель виявлення шкідливої активності в інформаційній
системі організації на основі гібридної класифікації. Сучасний захист інформації, 4(60), 30-38. DOI:
10.31673/2409-7292.2024.040003.
2. IDS 2018 | Datasets | Research | Canadian Institute for Cybersecurity | UNB. (2023, December 21). Retrieved
from https://www.unb.ca/cic/datasets/ids-2018.html.
3. Kaur, G., & Saini, H. S. (2023). Stacking ensemble learning for network intrusion detection systems.
International Journal of Computer Applications, 184(12), 15–23. DOI: 10.29130/dubited.737211
4. Cisco. (2023). Annual Cybersecurity Report. Cisco Systems. https://www.cisco.com/c/m/en_us/products/
security/cybersecurity-reports/cybersecurity-readiness-index.html.
5. Савченко В. А., Смолєв Є. С., Гамза Д. Є. Методика виявлення аномалій взаємодії користувачів з
інформаційними ресурсами організації. Сучасний захист інформації. № 4 (2023). С. 6-12 DOI: 10.31673/2409-
7292.2023.030101.
6. ENISA. (2023). ENISA Threat Landscape Report 2023. European Union Agency for Cybersecurity.
https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023.
7. Murat U., Emine U., Mürsel O.(2021). A Stacking Ensemble Learning Approach for Intrusion Detection System.
Düzce University Journal of Science & Technology, 184(12), 15–23. DOI:10.29130/dubited.737211.
8. Seni, G., & Elder, J. F. (2010). Ensemble methods in data mining: Improving accuracy through combining DOI:
10.2200/S00240ED1V01Y200912DMK002.
9. Hosmer, D. W., Lemeshow, S., & Sturdivant, R. X. (2013). Applied logistic regression. Wiley. DOI:
10.1002/9781118548387.
10. Ahmed, M., Mahmood, A. N., & Hu, J. (2016). A survey of network anomaly detection techniques. Journal of
Network and Computer Applications, 60, 19–31 DOI: 10.1016/j.jnca.2015.11.016
11. Pinto, A.; Herrera, L.C.; Donoso, Y.; Gutierrez, J.A. Survey on Intrusion Detection Systems Based on Machine
Learning Techniques for the Protection of Critical Infrastructure. Sensors 2023, 23, 2415, DOI: 10.3390/s23052415.