A Hybrid Certainty Factor–XGBoost Approach for Cyberattack Detection Using the TON_IoT Dataset

Authors

  • Adiva Dwi Aprianto Politeknik Negeri Cilacap, Indonesia
  • Ratih Hafsarah Maharrani Politeknik Negeri Cilacap, Indonesia
  • Indi Cahya Ratna Auliya Politeknik Negeri Cilacap, Indonesia
  • Vania Rizky Alifiah Politeknik Negeri Cilacap, Indonesia
Pages Icon

DOI:

https://doi.org/10.63158/journalisi.v8i2.1519

Keywords:

intrusion detection, TON_IoT, Certainty Factor, XGBoost, explainable cyberattack detection

Abstract

Computer networks are vital to modern organizations, yet growing digital dependence has increased both the frequency and complexity of cyberattacks. To address this challenge, this study proposes an interpretable cyberattack detection framework that combines rule-based reasoning with machine learning through a hybrid Certainty Factor (CF)–XGBoost model. The framework integrates CF confidence scores and XGBoost probability outputs within a meta-learning classifier, enabling strong predictive performance while preserving explainability. Experiments conducted on the TON_IoT dataset using an 80:20 stratified split demonstrate that XGBoost achieved the highest accuracy at 99.61%, followed closely by the hybrid model at 99.42%, whereas the standalone CF model reached 76.31%. Although the hybrid approach produced a slightly lower accuracy than XGBoost alone, it substantially enhanced interpretability by connecting predictions to explicit rule-based reasoning. This makes the proposed framework especially suitable for Security Operations Center (SOC) environments, where transparent decision-making is essential. Overall, the findings suggest that the hybrid CF–XGBoost model offers a practical and explainable solution for cyberattack detection, though further validation on more diverse datasets is necessary before real-world deployment.

Downloads

Download data is not yet available.

References

[1] Y. Li and Q. Liu, “A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments,” Energy Reports, vol. 7, 2021, doi: 10.1016/j.egyr.2021.08.126.

[2] V. Z. Mohale and I. C. Obagbuwa, “Evaluating machine learning-based intrusion detection systems with explainable AI: enhancing transparency and interpretability,” Front. Comput. Sci., vol. 7, 2025, doi: 10.3389/fcomp.2025.1520741.

[3] X. J. Tan, W. L. Cheor, K. S. Yeo, and W. Z. Leow, “Expert systems in oil palm precision agriculture: A decade systematic review,” 2022. doi: 10.1016/j.jksuci.2022.02.006.

[4] Sumiati, H. Saragih, T. K. A. Rahman, and A. Triayudi, “Expert system for heart disease based on electrocardiogram data using certainty factor with multiple rule,” IAES International Journal of Artificial Intelligence, vol. 10, no. 1, 2021, doi: 10.11591/ijai.v10.i1.pp43-50.

[5] L. Theodorakopoulos, A. Theodoropoulou, A. Tsimakis, and C. Halkiopoulos, “Big Data-Driven Distributed Machine Learning for Scalable Credit Card Fraud Detection Using PySpark, XGBoost, and CatBoost,” Electronics (Switzerland), vol. 14, no. 9, 2025, doi: 10.3390/electronics14091754.

[6] Y. Hu, K. Xiao, L. Luo, and L. Chen, “An XGBoost-Based Intrusion Detection Framework with Interpretability Analysis for IoT Networks,” Applied Sciences, vol. 16, no. 2, 2026, doi: 10.3390/app16020980.

[7] N. Moustafa, “New Generations of Internet of Things Datasets for Cybersecurity Applications based Machine Learning: TON_IoT Datasets,” eResearch Australia Asia 2019, no. October, 2019.

[8] T. M. Booij, I. Chiscop, E. Meeuwissen, N. Moustafa, and F. T. H. D. Hartog, “ToN_IoT: The Role of Heterogeneity and the Need for Standardization of Features and Attack Types in IoT Network Intrusion Data Sets,” IEEE Internet Things J., vol. 9, no. 1, 2022, doi: 10.1109/JIOT.2021.3085194.

[9] N. Moustafa, “A new distributed architecture for evaluating AI-based security systems at the edge: Network TON_IoT datasets,” Sustain. Cities Soc., vol. 72, 2021, doi: 10.1016/j.scs.2021.102994.

[10] A. Alsaedi, N. Moustafa, Z. Tari, A. Mahmood, and A. Anwar, “TON_IoT Telemetry Dataset: A New Generation Dataset of IoT and IIoT for Data-Driven Intrusion Detection Systems,” IEEE Access, vol. 8, pp. 165130–165150, 2020, doi: 10.1109/ACCESS.2020.3022862.

[11] V. Shanmugam, R. Razavi-Far, and E. Hallaji, “Addressing Class Imbalance in Intrusion Detection: A Comprehensive Evaluation of Machine Learning Approaches,” Electronics (Basel)., vol. 14, no. 1, p. 69, Dec. 2024, doi: 10.3390/electronics14010069.

[12] O. Galal, A. Nasr, and L. Rizkallah, “A Rule Learning Approach For Building An Expert System To Detect Network Intrusions,” International Journal of Intelligent Computing and Information Sciences, vol. 23, no. 1, pp. 106–114, Mar. 2023, doi: 10.21608/ijicis.2023.167424.1223.

[13] S. Thongsuwan, S. Jaiyen, A. Padcharoen, and P. Agarwal, “ConvXGB: A new deep learning model for classification problems based on CNN and XGBoost,” Nuclear Engineering and Technology, vol. 53, no. 2, 2021, doi: 10.1016/j.net.2020.04.008.

[14] S. M. Nzuva, L. Nder, and T. Mwalili, “A novel bagging- XGBoost ensemble model for attaining high accuracy and computational efficiency in network intrusion detection,” E3S Web of Conferences, vol. 501, p. 01007, Mar. 2024, doi: 10.1051/e3sconf/202450101007.

[15] J. Vitorino, R. Andrade, I. Praça, O. Sousa, and E. Maia, “A Comparative Analysis of Machine Learning Techniques for IoT Intrusion Detection,” 2022, pp. 191–207. doi: 10.1007/978-3-031-08147-7_13.

[16] N. Saini, V. Bhat Kasaragod, K. Prakasha, and A. K. Das, “A hybrid ensemble machine learning model for detecting APT attacks based on network behavior anomaly detection,” Concurr. Comput., vol. 35, no. 28, Dec. 2023, doi: 10.1002/cpe.7865.

[17] A. M. Aburbeian, M. Fernández-Veiga, and A. Hasasneh, “Improving Remote Access Trojans Detection: A Comprehensive Approach Using Machine Learning and Hybrid Feature Engineering,” AI, vol. 6, no. 9, p. 237, Sep. 2025, doi: 10.3390/ai6090237.

[18] D. Chicco, N. Tötsch, and G. Jurman, “The Matthews correlation coefficient (MCC) is more reliable than balanced accuracy, bookmaker informedness, and markedness in two-class confusion matrix evaluation,” BioData Min., vol. 14, no. 1, p. 13, Feb. 2021, doi: 10.1186/s13040-021-00244-z.

[19] Md. N. Sarwar, Md. S. Arman, T. Bhuiyan, and F. B. Rafiq, “Optimizing Intrusion Detection with Hybrid Deep Learning Models and Data Balancing Techniques,” in 2025 IEEE 4th International Conference on AI in Cybersecurity (ICAIC), IEEE, Feb. 2025, pp. 1–6. doi: 10.1109/ICAIC63015.2025.10849340.

[20] J. N. Mandrekar, “Receiver Operating Characteristic Curve in Diagnostic Test Assessment,” Journal of Thoracic Oncology, vol. 5, no. 9, pp. 1315–1316, Sep. 2010, doi: 10.1097/JTO.0b013e3181ec173d.

[21] H. Liu and B. Lang, “Machine Learning and Deep Learning Methods for Intrusion Detection Systems: A Survey,” Applied Sciences, vol. 9, no. 20, p. 4396, Oct. 2019, doi: 10.3390/app9204396.

[22] A. Kukliansky, M. Orescanin, C. Bollmann, and T. Huffmire, “Network Anomaly Detection Using Quantum Neural Networks on Noisy Quantum Computers,” IEEE Transactions on Quantum Engineering, vol. 5, 2024, doi: 10.1109/TQE.2024.3359574.

[23] A. Haque and H. Soliman, “A Transformer-Based Autoencoder with Isolation Forest and XGBoost for Malfunction and Intrusion Detection in Wireless Sensor Networks for Forest Fire Prediction,” Future Internet, vol. 17, no. 4, 2025, doi: 10.3390/fi17040164.

[24] S. M. Nzuva, L. Nder, and T. Mwalili, “A novel bagging- XGBoost ensemble model for attaining high accuracy and computational efficiency in network intrusion detection,” E3S Web of Conferences, vol. 501, p. 01007, Mar. 2024, doi: 10.1051/e3sconf/202450101007.

Downloads

Published

2026-04-12

Issue

Vol. 8 No. 2 (2026): April

Section

Articles

License

Copyright (c) 2026 Journal of Information Systems and Informatics

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Authors Declaration

  1. The Authors certify that they have read, understood, and agreed to the Journal of Information Systems and Informatics (JournalISI) submission guidelines, policies, and submission declaration. The submission has been prepared using the provided template.
  2. The Authors certify that all authors have approved the publication of this manuscript and that there is no conflict of interest.
  3. The Authors confirm that the manuscript is their original work, has not received prior publication, is not under consideration for publication elsewhere, and has not been previously published.
  4. The Authors confirm that all authors listed on the title page have contributed significantly to the work, have read the manuscript, attest to the validity and legitimacy of the data and its interpretation, and agree to its submission.
  5. The Authors confirm that the manuscript is not copied from or plagiarized from any other published work.
  6. The Authors declare that the manuscript will not be submitted for publication in any other journal or magazine until a decision is made by the journal editors.
  7. If the manuscript is finally accepted for publication, the Authors confirm that they will either proceed with publication immediately or withdraw the manuscript in accordance with the journal’s withdrawal policies.
  8. The Authors agree that, upon publication of the manuscript in this journal, they transfer copyright or assign exclusive rights to the publisher, including commercial rights

How to Cite

[1]
A. D. Aprianto, R. H. Maharrani, I. C. R. Auliya, and V. R. Alifiah, “A Hybrid Certainty Factor–XGBoost Approach for Cyberattack Detection Using the TON_IoT Dataset”, journalisi, vol. 8, no. 2, pp. 1913–1932, Apr. 2026, doi: 10.63158/journalisi.v8i2.1519.