PHM-Based Modeling for Cyberattack Classifier Performance
Priscila Silva
Department of Electrical and Computer Engineering, University of Massachusetts Dartmouth, Dartmouth, MA, 02747, USA
psilva4@umassd.edu
ABSTRACT
This research implements Prognostics and Health Manage-
ment (PHM) using multiple linear regression and multivari-
ate time series models to monitor and predict when the per-
formance of a Machine Learning-based cyberattack classifier
might degrade to an unacceptable level, enabling preemptive
maintenance strategies.
1. INTRODUCTION
A Network Intrusion Detection System (NIDS) (Liao et al.,
2013) analyzes network traffic to detect suspicious patterns
or anomalies, alerting administrators to potential threats.
Deep neural networks (DNNs) (Ahmad et al., 2020) are Ma-
chine Learning (ML) techniques often employed in NIDS
for their ability to accurately classify cyberattacks (Lewis,
2002) such as malware infections and denial-of-service at-
tacks. Although DNNs perform well in identifying known
attacks (Baye et al., 2023), their resilience against unknown
activities is less studied.
Problem to be addressed: Past research (Javaid et al., 2016;
Sharma et al., 2019; Wu et al., 2020; Narayana Rao et al.,
2021; Lo et al., 2022) has explored various techniques to en-
hance the robustness of DNNs. However, these techniques
often rely on specific benchmark datasets, leading to incom-
plete representations of real-world network settings, and re-
quire long training times, posing challenges in promptly and
cost-effectively identifying cyberattacks. Furthermore, there
is a lack of quantitative assessment regarding the reliability
of these techniques’ predictions over time. Without predic-
tive models that can monitor classifiers in real-time and fore-
cast future performance, anticipating new threats and adapt-
ing NIDS performance strategies may be challenge.
Expected novel contributions: This research implements
Prognostics and Health Management (PHM) techniques,
including multiple linear regression (Kleinbaum, Kupper,
Nizam, & Rosenberg, 1999) and multivariate time series
Priscila Silva. This is an open-access article distributed under the terms of
the Creative Commons Attribution 3.0 United States License, which permits
unrestricted use, distribution, and reproduction in any medium, provided the
original author and source are credited.
models (Brandt & Williams, 2007) approaches, to monitor
and predict the performance of DNNs based on the prox-
imity of incoming real-time cyberattacks to known classes.
Anticipating the performance of classifiers might streamline
the testing process with new datasets, reducing evaluation
time in the face of unknowns. Additionally, it aids in mon-
itoring and assurance for NIDS, empowering professionals
to gauge NIDS performance trends, proactively address po-
tential performance degradation, and identify optimal main-
tenance strategies to sustain performance.
Proposed research plan: The proposed research, initiated
in Fall 2022 and scheduled for completion by Spring 2026,
encompasses a comprehensive plan within the PhD pro-
gram. The main activities include: (i) model changes
in the performance of cyberattack classifiers with different
PHM techniques (2022); (ii) enhance prediction capabilities
through improved parameter estimation techniques (2023);
(iii) formulate optimization problems to identify resilience
requirements such as maintenance schedules (2024); (iv) re-
train classifiers based on identified resilience requirements
to rapidly and efficiently restore classifier performance after
degradations (2025); and (v) submit manuscript and defense
dissertation (2026). In sum, this PhD dissertation proposes to
ensure the continuous and reliable operation of ML-based cy-
berattack classifiers using PHM techniques, which is crucial
for enhancing system resilience by identifying the best tim-
ing for interventions to effectively mitigate risks and recover
from adversarial attacks.
2. CYBERATTACK CLASSIFIERS
A deep neural network (DNN) consists of interconnected lay-
ers of neurons governed by mathematical functions. In NIDS,
DNNs receive NIDS benchmark payload data - packet sec-
tions transmitting network information often hiding malware
- in the input layer, pass it through hidden layers to extract
features, and make predictions at the output layer. Train-
ing DNNs to learn attack patterns involves refining hyper-
parameters for optimal performance using evaluation metrics
such as the F1-Score. The F1-Score is a reliable measure
of NIDS classifier performance since it measures the overall
model balance between identifying true cyberattacks among
1
