A WELCH’S t-TEST-BASED FEATURE SELECTION FRAMEWORK FOR NETWORK INTRUSION DETECTION

Abstract

The unprecedented growth of digital infrastructure, cloud-based services, and Internet-of-Things deployments has been accompanied by a parallel surge in the volume and sophistication of network-based cyber-attacks. Intrusion Detection Systems (IDS) play a central role in the defensive posture of modern organisations by continuously monitoring network traffic and flagging activity that deviates from expected behaviour. Machine learning-based IDS have largely supplanted purely signature-driven detectors because of their ability to generalise to previously unseen attack patterns, but their predictive performance and computational footprint are extremely sensitive to the input feature space. Modern network-traffic datasets routinely contain dozens of derived attributes, many of which are noisy, redundant, or only weakly predictive; including them indiscriminately inflates training time, increases overfitting risk, and dilutes the signal that genuinely separates benign and malicious flows. This dissertation develops, implements and empirically evaluates a statistically motivated feature-selection framework based on Welch’s t-test for the binary classification of network traffic into normal and attack categories. Welch’s t-test is a two-sample location test that, unlike the classical Student’s t-test, does not assume equal variances between the two populations being compared. This relaxation makes it particularly well-suited to intrusion-detection datasets, where the variances of attack and benign-traffic feature distributions are typically very different. For each numerical feature in the dataset, Welch’s t-test produces a t-statistic whose absolute value can be interpreted as a measure of how strongly that feature separates the two classes; ranking features by |t| therefore yields a fast, transparent, and theoretically defensible filter selector. The framework is evaluated on the UNSW-NB15 benchmark dataset, which contains 257,673 records of network traffic collected at the Cyber Range Lab of UNSW Canberra and covers nine attack families (Fuzzers, Analysis, Backdoors, DoS, Exploits, Generic, Reconnaissance, Shellcode and Worms) alongside normal traffic. After standard preprocessing, the dataset retains 42 informative features. Six classifiers from distinct algorithmic families — Logistic Regression, Decision Tree, Random Forest, Gradient Boosting, AdaBoost, and XGBoost — are trained on feature subsets selected by Welch’s t-test at varying cardinalities. Cross-validated, stratified train–test evaluation is used throughout to obtain robust generalisation estimates. Three principal findings emerge from the experiments. First, Welch’s t-test pro duces a stable, interpretable ranking of features in which control-traffic attributes such as the source-to-destination time-to-live (sttl), the connection-rate counters (ct_dst_sport_ltm, vi ct_state_ttl, ct_src_dport_ltm), and the per-second packet rate dominate. Second, classi fication accuracy increases sharply as the most informative features are added but plateaus at approximately k = 30 features, beyond which extra features yield diminishing or even slightly negative returns; selecting only the top 30 features therefore offers a near-optimal accuracy–efficiency trade-off. Third, applying Welch’s t-test as a pre-classifier filter improves every single classifier we evaluated; the gain is most pronounced for Random Forest, whose accuracy rises from 80.81% (no feature selection) to 95.18% (with Welch-selected top-30 features). Random Forest achieves the best overall performance, narrowly outperforming XGBoost (95.10%) and Decision Tree (93.90%) in terms of overall accuracy while also delivering a balanced precision–recall profile across both the normal and attack classes. Beyond the headline accuracy numbers, the framework demonstrates that a care fully justified statistical filter can compete favourably with more expensive wrapper-based or embedded feature-selection schemes while remaining easy to audit, easy to implement, and computationally inexpensive enough to run on embedded or edge-deployed IDS infras tructure. The dissertation closes with a discussion of the framework’s limitations, including its inability to capture pairwise feature interactions, its sensitivity to severe class imbalance, and its reliance on the binary normal-versus-attack abstraction. Promising avenues for future work include hybridising Welch’s t-test with mutual-information or relief-based methods, extending the pipeline to multi-class attack-family classification, and integrating it with deep-learning encoders for online, real-time intrusion detection.