Table 1.
Representative related work and positioning of TAN-IDS.
Table 2.
Related work matrix comparing evaluation capabilities across representative IDS studies.
Fig 1.
Overview of the proposed TAN-IDS framework.
TAN-IDS unifies heterogeneous IDS datasets into a common NetFlow feature space and organizes domain-aware evaluation scenarios, including in-dataset, cross-dataset, mixed-domain, and transfer-aware fine-tuning.
Fig 2.
Detailed pipeline of the TAN-IDS evaluation framework.
The scenario controller defines domain-aware evaluation protocols, including in-dataset, cross-dataset, mixed-domain, and transfer-aware fine-tuning, independently of the classifier choice. Pluggable classifiers (Random Forest, XGBoost, Multilayer Perceptron, with an optional Transformer-based baseline) are trained and evaluated within a unified 8-dimensional NetFlow feature space. All preprocessing statistics are computed exclusively on training splits to prevent data leakage.
Table 3.
Transfer-aware evaluation scenarios supported by TAN-IDS.
Table 4.
Statistics of the NetFlow datasets used in TAN-IDS.
Table 5.
Mapping and description of the eight common NetFlow features between UNSW-NB15 (NetFlow) and NF-CSE-CIC-IDS2018. Non-continuous fields (proto, and tcp lags) are encoded deterministically; ports are treated as bounded numeric variables.
Table 6.
Key hyperparameters for MLP, Random Forest, XGBoost, and FlowTransformer-lite (baseline) in TAN-IDS.
Fig 3.
Performance comparison across evaluation scenarios.
(a–b) In-dataset performance measured by F1-macro and attack recall. (c–d) Cross-dataset evaluation results. Preprocessing statistics are computed on training splits only to avoid data leakage.
Table 7.
In-dataset evaluation results (S1–S8).
Table 8.
Cross-dataset evaluation results (S9–S16).
Fig 4.
Transfer and adaptation performance across domains.
(a–b) Mixed-domain training results measured by F1-macro and attack recall. (c–d) Fine-tuning with limited labeled target-domain data.
Fig 5.
Attack-class precision–recall across cross-dataset and fine-tuning scenarios.
The results illustrate how domain mismatch and limited target-domain adaptation jointly affect attack detection sensitivity and false-alarm propensity.
Table 9.
Mixed-domain training results (S17–S24).
Table 10.
Fine-tuning results with 5% labeled target subset (S25–S32).