Login
Register
Submit a Paper
Propose a Special lssue
Open Access
ARTICLE
Domain Knowledge-Guided Training for NIDS: A Class-Agnostic Evaluation of Robustness on Imbalanced Datasets
College of Computing and Information Technology, Arab Academy for Science, Technology and Maritime Transport, Smart Village, Giza, Egypt
* Corresponding Author: Zakaria S. M. Abdelhalim. Email:
Journal of Cyber Security 2026, 8, 153-169. https://doi.org/10.32604/jcs.2026.079097
Received 14 January 2026; Accepted 10 March 2026; Issue published 06 April 2026
View Full Text
Download PDFAbstract
The rapid expansion of IoT and cloud services has increased the scale and complexity of modern networks, making intrusion detection challenging. Although deep learning-based Network Intrusion Detection Systems (NIDS) often report high accuracy, such metrics can be misleading on highly imbalanced datasets, where performance is dominated by majority classes and rare attacks remain poorly detected. This issue stems from global optimization strategies that encourage models to rely on dominant feature patterns, limiting their ability to capture the class-specific features required to identify infrequent attack types. To address this limitation, this work proposes a domain knowledge-guided attentional training framework. In the first stage, SHAP is used to extract per-class feature importance vectors, identifying features that are relevant or negligible for each attack type. In the second stage, a knowledge-guided loss function introduces a weighted gradient regularization term that penalizes reliance on features deemed unimportant for the target class, encouraging the model to focus on class-specific features. The proposed approach is evaluated on the highly imbalanced CIC-IDS-2017 dataset. While a baseline CNN achieved an overall accuracy of 99.39%, it failed to detect rare attacks such as Heartbleed (F1 score = 0.0). In contrast, the knowledge-guided model demonstrated improved robustness across attack classes. Emphasizing Macro F1 score as a class-agnostic metric, the proposed framework improved the Macro F1 from 0.6180 to 0.7560, achieved an F1 score of 1.0 on Heartbleed, and maintained overall accuracy (99.56%). Overall, this work enables NIDS to move beyond static optimization by focusing on class-specific features, leading to improved generalization for rare attacks.Keywords
IDS; deep learning; imbalanced learning; SHAP; gradient regularization
Cite This Article
APA Style
Abdelhalim, Z.S.M., Belal, N., Seifeldin, M. (2026). Domain Knowledge-Guided Training for NIDS: A Class-Agnostic Evaluation of Robustness on Imbalanced Datasets. Journal of Cyber Security, 8(1), 153–169. https://doi.org/10.32604/jcs.2026.079097
Vancouver Style
Abdelhalim ZSM, Belal N, Seifeldin M. Domain Knowledge-Guided Training for NIDS: A Class-Agnostic Evaluation of Robustness on Imbalanced Datasets. J Cyber Secur. 2026;8(1):153–169. https://doi.org/10.32604/jcs.2026.079097
IEEE Style
Z. S. M. Abdelhalim, N. Belal, and M. Seifeldin, “Domain Knowledge-Guided Training for NIDS: A Class-Agnostic Evaluation of Robustness on Imbalanced Datasets,” J. Cyber Secur., vol. 8, no. 1, pp. 153–169, 2026. https://doi.org/10.32604/jcs.2026.079097
Copyright © 2026 The Author(s). Published by Tech Science Press.This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Downloads
Citation Tools
