A research framework called Multi-Level Distributional Entropy can detect network intrusions without ever touching raw packet data — and it reveals why the metrics most IDS tools report are misleading.
Researchers proposed MDE as a way to extract meaningful signal from the pre-aggregated flow statistics that most network monitoring tools already collect. The framework operates at three levels: Gaussian differential entropy within individual flows, Jensen-Shannon divergence between traffic directions, and Shannon entropy across TCP flag patterns. Tested across four standard benchmarks — NSL-KDD, CICIDS-2017, CICIDS-2018, and UNSW-NB15 — entropy-only features hit weighted F1 scores between 0.708 and 0.989, matching what conventional feature sets produce.
The more useful finding is what the paper exposes about F1 scores as a reporting standard. On CICIDS-2018, an F1 of 0.74 masked a detection rate of just 0.48 — meaning nearly half of real attacks went uncaught. On held-out attack families, F1 exceeded 0.998 while the detection rate dropped to zero. That gap between headline metric and operational reality is the kind of thing that gets organizations breached.
The temporal shift results are the sharpest edge here: in a replay of 703,000 flows, score ranking held up (AUC of 0.87) but fixed decision thresholds collapsed, with detection rate falling to 0.082 and recalibration offering no recovery. Most deployed IDS products ship with fixed thresholds and advertise aggregate F1 — this paper makes a reasonable case that both practices deserve scrutiny.