Abstract: A network intrusion detection algorithm that combines systematic data pre-processing and hybrid sampling is proposed for the problem of class imbalance in intrusion detection datasets. Based on the feature distribution of the intrusion detection dataset, the feature values are systematically processed as follows: for the three categorical features, “Proto’’,“Service’’ and “State’’, minor categories within each feature are combined to reduce the total dimension of one-hot encoding; the 18 extremely distributed numerical features are processed with logarithm and then standardized according to the numerical distribution. The class imbalance processing technology, which combines Nearmiss-1 under-sampling and SMOTE ( Synthetic Minority Over-sampling Technique) is designed. Each class of samples in the training dataset is divided into sub-classes based on the “Proto’’,“ Service’’ and “ State’’ categorical features, and each sub-class is under-sampled or oversampled in equal proportion. The intrusion detection model PSSNS-RF ( Nearmiss and SMOTE based on Proto, Service, State-Random Forest) is built, which achieves a 97. 02% multiclass detection rate in the UNSW-NB15 dataset, resolving the data imbalance problem and significantly improving the detection rate of minority classes.

Key words: network intrusion detection, imbalanced dataset, feature selection, network security