Feature Selection for Improving ANN and CNN Models for Attack Detection in Zeek Network Data

In the past few years, cyber-attacks have risen at an exponential rate across all sectors, and both private and public institutions have faced increasingly sophisticated threats. As this upward trend continues, the need for advanced and efficient threat detection systems is essential. This paper investigates the use of feature importance (FI) Coefficients to improve Artificial Neural Network (ANN) and Convolutional Neural Network (CNN) models, leveraging feature selection to enhance model interpretability and optimize performance. By systematically filtering out the weaker features, we examine the reduced features’ impact on model accuracy, precision, recall, and F1 score. Experiments were conducted on two new datasets, UWF-ZeekDataSum2025-1 and UWF-ZeekDataSum2025-2, using a baseline ANN/CNN architecture and multiple architectural variants. The results on UWF-ZeekDataSum2025-1 show a clear performance gain for certain feature importance thresholds, with models such as ANN-Minimal, ANN-Overfit-Wide, ANN-Shallow-Low-Optimization, CNN-Shallow, and CNN-Very-Shallow outperforming the baseline after reducing the feature space from seventeen features to fewer than four. For UWF-ZeekDataSum2025-2, improvements occur across a broader range of thresholds, with models including ANN-Deep-Sub-Conv, ANN-Shallow-Low-Opt, CNN-Shallow, CNN-Very-Shallow, and ANN-Minimal exceeding 95% performance around the 0.25–0.28 thresholds, with additional gains at 0.31–0.32 for some architectures. These findings demonstrate that by strategically leveraging feature importance coefficient thresholds, we can significantly enhance neural network intrusion detection systems, offering a reproducible pathway for adapting these methods on similar environments.