Cosine Distance-Based Fuzzy C-Means Clustering for Local Classification in Imbalanced Network Intrusion Detection

Authors

  • Ngoc-Bich Giap Thi Posts and Telecommunications Institute of Technology, Hanoi, Vietnam
  • Van-Nhan Nguyen Faculty of Information Technology, Dai Nam University, Hanoi, Vietnam
  • Anh-Thu Pham Posts and Telecommunications Institute of Technology, Hanoi, Vietnam
  • Trong-Minh Hoang Posts and Telecommunications Institute of Technology, Hanoi, Vietnam

DOI:

https://doi.org/10.15837/ijccc.2026.3.7305

Keywords:

network intrusion detection, fuzzy C-Means clustering, cosine distance, class imbalance, machine learning

Abstract

Network Intrusion Detection Systems (NIDS) deal with class imbalance in network traffic data, where minority attack classes are underestimated. FCM-Cosine, a modified Fuzzy C-Means clustering algorithm, replaces Euclidean distance in the objective function with Cosine distance to better capture directional similarity in high-dimensional feature spaces. The cluster-then-classify framework decomposes the global intrusion detection problem into localized classification sub-problems to detect minority attack classes. Five classifiers have been examined on the CICIoT2023 dataset at two scales (16,100 and 465,000 samples). FCM-Cosine had an average F1-Macro of 69.36%, while Decision Tree had 86.79%, resulting in a 37.97% improvement over direct training. The framework is ten times faster than SMOTE (19.18s vs. 189.73s average training time) and scales nearly linearly with dataset size. Results demonstrate that FCM-Cosine offers competitive classification performance with computational efficiency for large-scale NIDS deployments.

References

ENISA, ENISA Threat Landscape 2025, European Union Agency for Cybersecurity, 2025.

CISA, 2024 Year in Review, Cybersecurity and Infrastructure Security Agency, 2024.

S. Parhizkari, "Anomaly detection in intrusion detection systems," in Anomaly Detection - Recent Advances, AI and ML Perspectives and Applications, IntechOpen, 2023. https://doi.org/10.5772/intechopen.112733

D. Chou and M. Jiang, "A survey on data-driven network intrusion detection," ACM Comput. Surveys, vol. 54, no. 9, pp. 1-36, Dec. 2022. https://doi.org/10.1145/3472753

R. Vaarandi and A. Guerra-Manzanares, "Network IDS alert classification with active learning techniques," Journal of Information Security and Applications, vol. 81, Art. no. 103687, 2024. https://doi.org/10.1016/j.jisa.2023.103687

A. Miranda-Garc'ıa, A. Z. Rego, I. Pastor-L'opez, B. Sanz, A. Tellaeche, J. Gaviria, and P. G. Bringas, "Deep learning applications on cybersecurity: A practical approach," Neurocomputing, vol. 563, Art. no. 126904, 2024. https://doi.org/10.1016/j.neucom.2023.126904

T.-M. Hoang, V.-N. Nguyen, T.-L. Le Thi, M.-H. Nguyen, and N.-H. Nguyen, "A hybrid intrusion detection system model integrated explainable AI and multi expert systems to adapt edge computing," Cluster Computing, vol. 28, no. 10, p. 649, 2025. https://doi.org/10.1007/s10586-025-05480-0

V. Shanmugam et al., "Addressing class imbalance in intrusion detection systems: A comprehensive evaluation of machine learning approaches," Electronics, 2025. [Online]. Available: https://www.mdpi.com/2079-9292/14/1/69 https://doi.org/10.3390/electronics14010069

M. Altalhan, A. Algarni, and M. T.-H. Alouane, "Imbalanced data problem in machine learning: A review," IEEE Access, 2025. https://doi.org/10.1109/ACCESS.2025.3531662

F. Farahnakian, F. Nicolas, F. Farahnakian, P. Nevalainen, J. Sheikh, J. Heikkonen, and C. Raduly-Baka, "A comprehensive study of clustering-based techniques for detecting abnormal vessel behavior," Remote Sensing, vol. 15, no. 6, p. 1477, 2023. https://doi.org/10.3390/rs15061477

A. Prasad et al., "Optimizing IoT intrusion detection with cosine similarity based dataset balancing and hybrid deep learning," Scientific Reports, 2025. https://doi.org/10.1038/s41598-025-15631-3

A. Hozouri et al., "A comprehensive survey on intrusion detection systems with advances in machine learning, deep learning and emerging cybersecurity challenges," Open Access, 2025. https://doi.org/10.1007/s44163-025-00578-1

S. Ennaji et al., "Adversarial challenges in network intrusion detection systems: Research insights and future prospects," IEEE Access, 2025. https://doi.org/10.1109/ACCESS.2025.3600984

N. K. Bello and M. M. Siraj, "A review on network intrusion detection system using machine learning," International Journal of Innovative Computing, vol. 8, no. 1, 2020.

M. W. Nawaz et al., "Multi-class network intrusion detection with class imbalance via LSTM & SMOTE," arXiv preprint 2310.01850, 2023.

U. Ahmed et al., "Signature-based intrusion detection using machine learning and deep learning approaches empowered with fuzzy clustering," Scientific Reports, vol. 15, 2025. https://doi.org/10.1038/s41598-025-85866-7

E. I. Elsedimy and S. M. M. AboHashish, "An intelligent hybrid approach combining fuzzy Cmeans and the sperm whale algorithm for cyber attack detection in IoT networks," Scientific Reports, 2025. https://doi.org/10.1038/s41598-024-79230-4

A. Hozouri et al., "A comprehensive survey on intrusion detection systems with advances in machine learning, deep learning and emerging cybersecurity challenges," Discover Artificial Intelligence, vol. 5, no. 314, 2025. https://doi.org/10.1007/s44163-025-00578-1

A. Vabalas, E. Gowen, E. Poliakoff, and A. J. Casson, "Machine learning algorithm validation with a limited sample size," PLoS ONE, vol. 14, no. 11, Art. no. e0224365, 2019. https://doi.org/10.1371/journal.pone.0224365

Additional Files

Published

2026-05-26

Issue

Vol. 21 No. 3 (2026): International Journal of Computers Communications & Control (June)

Section

Articles

License

Copyright (c) 2026 Ngoc-Bich Giap Thi, Van-Nhan Nguyen, Anh-Thu Pham, Trong-Minh Hoang

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

ONLINE OPEN ACCES: Acces to full text of each article and each issue are allowed for free in respect of Attribution-NonCommercial 4.0 International (CC BY-NC 4.0.

You are free to:

-Share: copy and redistribute the material in any medium or format;

-Adapt: remix, transform, and build upon the material.

The licensor cannot revoke these freedoms as long as you follow the license terms.

 

DISCLAIMER: The author(s) of each article appearing in International Journal of Computers Communications & Control is/are solely responsible for the content thereof; the publication of an article shall not constitute or be deemed to constitute any representation by the Editors or Agora University Press that the data presented therein are original, correct or sufficient to support the conclusions reached or that the experiment design or methodology is adequate.

Most read articles by the same author(s)

Obs.: This plugin requires at least one statistics/report plugin to be enabled. If your statistics plugins provide more than one metric then please also select a main metric on the admin's site settings page and/or on the journal manager's settings pages.