Enhancing Threat Hunting in Wazuh through a Hybrid Random Forest Model: A Comparative Study for Reducing MTTD and MTTR in Cybersecurity Operations

Yuri Ariyanto; Yan Watequlis Syaifudin; Pramana Yoga Saputra; Chandrasena Setiadi

doi:10.48084/etasr.16043

Authors

Yuri Ariyanto Department of Information Technology, Politeknik Negeri Malang, Malang, Indonesia
Yan Watequlis Syaifudin Department of Information Technology, Politeknik Negeri Malang, Malang, Indonesia
Pramana Yoga Saputra Department of Information Technology, Politeknik Negeri Malang, Malang, Indonesia
Chandrasena Setiadi Department of Electrical Engineering, Politeknik Negeri Malang, Malang, Indonesia

Volume: 16 | Issue: 1 | Pages: 32459-32465 | February 2026 | https://doi.org/10.48084/etasr.16043

Received: 5 November 2025 | Revised: 27 November 2025, 19 December 2025, 25 December 2025, 27 December 2025, and 1 January 2026 | Accepted: 4 January 2026 | Online: 9 February 2026

Corresponding author: Yuri Ariyanto

Abstract

The increasing sophistication of cyberattacks demands intelligent, adaptive Intrusion Detection Systems (IDSs) capable of rapid threat detection and response. This study proposes a Hybrid Random Forest (HRF) model integrated with the Wazuh platform to enhance threat hunting by reducing Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). The model is evaluated on two benchmark datasets, CSE-CIC-IDS2018 and ToN_IoT, using a methodology aligned with state-of-the-art approaches, including data preprocessing, Pearson Correlation Coefficient (PCC)-based feature selection, and Min-Max normalization. The results show high detection accuracies of 99.12% and 99.65% on the respective datasets, with significantly lower inference time compared to deep learning models. Integration with Wazuh enables real-time alerting and automated response, reducing MTTD and MTTR by up to 75% and 65%. A comparative analysis against a hybrid GRU-BiLSTM baseline reveals that while the HRF model achieves slightly lower accuracy on ToN_IoT, it outperforms it on CSE-CIC-IDS2018 and offers superior computational efficiency. This work presents a practical framework for deploying lightweight machine learning models in operational environments, demonstrating that ensemble methods like Random Forest are viable, interpretable, and operationally efficient alternatives to deep learning for proactive cybersecurity operations.

Keywords:

cybersecurity operations, feature selection, MTTD, MTTR, threat hunting

Downloads

Download data is not yet available.

References

A. Khraisat and A. Alazab, "A critical review of intrusion detection systems in the internet of things: techniques, deployment strategy, validation strategy, attacks, public datasets and challenges," Cybersecurity, vol. 4, no. 1, Mar. 2021, Art. no. 18. DOI: https://doi.org/10.1186/s42400-021-00077-7

K. Doshi, Y. Yilmaz, and S. Uludag, "Timely Detection and Mitigation of Stealthy DDoS Attacks via IoT Networks," IEEE Transactions on Dependable and Secure Computing, pp. 1, 2021. DOI: https://doi.org/10.1109/TDSC.2021.3049942

I. A. Kandhro et al., "Detection of Real-Time Malicious Intrusions and Attacks in IoT Empowered Cybersecurity Infrastructures," IEEE Access, vol. 11, pp. 9136–9148, 2023. DOI: https://doi.org/10.1109/ACCESS.2023.3238664

M. Sarhan, S. Layeghy, N. Moustafa, M. Gallagher, and M. Portmann, "Feature extraction for machine learning-based intrusion detection in IoT networks," Digital Communications and Networks, vol. 10, no. 1, pp. 205–216, Feb. 2024. DOI: https://doi.org/10.1016/j.dcan.2022.08.012

T. G. Nguyen, T. V. Phan, B. T. Nguyen, C. So-In, Z. A. Baig, and S. Sanguanpong, "SeArch: A Collaborative and Intelligent NIDS Architecture for SDN-Based Cloud IoT Networks," IEEE Access, vol. 7, pp. 107678–107694, 2019. DOI: https://doi.org/10.1109/ACCESS.2019.2932438

G. Kocher and G. Kumar, "Machine learning and deep learning methods for intrusion detection systems: recent developments and challenges," Soft Computing, vol. 25, no. 15, pp. 9731–9763, Aug. 2021. DOI: https://doi.org/10.1007/s00500-021-05893-0

A. A. Hagar and B. W. Gawali, "Deep Learning for Improving Attack Detection System Using CSE-CICIDS2018," Neuro Quantology, vol. 20, no. 7, 2022. DOI: https://doi.org/10.1155/2022/3131153

A. A. Ghani and S. A. Alasadi, "A Deep Learning Algorithm to Cybersecurity: Enhancing Intrusion Detection with a Hybrid GRU and BiLSTM Model," Engineering, Technology & Applied Science Research, vol. 15, no. 3, pp. 23605–23612, June 2025. DOI: https://doi.org/10.48084/etasr.10666

S. Jayalaxmi and S. Siddharth, "Intrusion Detection System For IOT," in Futuristic Trends in IOT Volume 3 Book 5, Iterative International Publisher, Selfypage Developers Pvt Ltd, 2024, pp. 63–81. DOI: https://doi.org/10.58532/V3BGIO5P1CH5

M. L. Mutleg, A. M. Mahmood, and M. M. J. Al-Nayar, "Deep Learning Based Intrusion Detection System of IoT Technology: Accuracy Versus Computational Complexity," International Journal of Safety and Security Engineering, vol. 14, no. 5, pp. 1547–1558, Oct. 2024. DOI: https://doi.org/10.18280/ijsse.140522

J. Li, H. Chen, M. O. Shahizan, and L. M. Yusuf, "Enhancing IoT security: A comparative study of feature reduction techniques for intrusion detection system," Intelligent Systems with Applications, vol. 23, Sept. 2024, Art. no. 200407. DOI: https://doi.org/10.1016/j.iswa.2024.200407

K. Hu, "Intrusion detection using machine learning methods," in International Conference on Electronic Information Engineering and Computer Technology (EIECT 2021), Kunming, China, Dec. 2021, Art. no. 67. DOI: https://doi.org/10.1117/12.2624897

K. Razikin and B. Soewito, "Cybersecurity decision support model to designing information technology security system based on risk analysis and cybersecurity framework," Egyptian Informatics Journal, vol. 23, no. 3, pp. 383–404, Sept. 2022. DOI: https://doi.org/10.1016/j.eij.2022.03.001

B. Nour, M. Pourzandi, and M. Debbabi, "A Survey on Threat Hunting in Enterprise Networks," IEEE Communications Surveys & Tutorials, vol. 25, no. 4, pp. 2299–2324, 2023. DOI: https://doi.org/10.1109/COMST.2023.3299519

I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, "Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization:," in Proceedings of the 4th International Conference on Information Systems Security and Privacy, Funchal, Madeira, Portugal, 2018, pp. 108–116. DOI: https://doi.org/10.5220/0006639801080116

M. Rodríguez, Á. Alesanco, L. Mehavilla, and J. García, "Evaluation of Machine Learning Techniques for Traffic Flow-Based Intrusion Detection," Sensors, vol. 22, no. 23, Nov. 2022, Art. no. 9326. DOI: https://doi.org/10.3390/s22239326

A. Alsaedi, N. Moustafa, Z. Tari, A. Mahmood, and A. Anwar, "TON_IoT Telemetry Dataset: A New Generation Dataset of IoT and IIoT for Data-Driven Intrusion Detection Systems," IEEE Access, vol. 8, pp. 165130–165150, 2020. DOI: https://doi.org/10.1109/ACCESS.2020.3022862

N. Moustafa, "A new distributed architecture for evaluating AI-based security systems at the edge: Network TON_IoT datasets," Sustainable Cities and Society, vol. 72, Sept. 2021, Art. no. 102994. DOI: https://doi.org/10.1016/j.scs.2021.102994

T. M. Booij, I. Chiscop, E. Meeuwissen, N. Moustafa, and F. T. H. D. Hartog, "ToN_IoT: The Role of Heterogeneity and the Need for Standardization of Features and Attack Types in IoT Network Intrusion Data Sets," IEEE Internet of Things Journal, vol. 9, no. 1, pp. 485–496, Jan. 2022. DOI: https://doi.org/10.1109/JIOT.2021.3085194

J. Ashraf et al., "IoTBoT-IDS: A novel statistical learning-enabled botnet detection framework for protecting networks of smart cities," Sustainable Cities and Society, vol. 72, Sept. 2021, Art. no. 103041. DOI: https://doi.org/10.1016/j.scs.2021.103041

N. Moustafa, M. Ahmed, and S. Ahmed, "Data Analytics-Enabled Intrusion Detection: Evaluations of ToN_IoT Linux Datasets," in 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Guangzhou, China, Sept. 2020, pp. 727–735. DOI: https://doi.org/10.1109/TrustCom50675.2020.00100

N. Moustafa, M. Keshky, E. Debiez, and H. Janicke, "Federated TON_IoT Windows Datasets for Evaluating AI-Based Security Applications," in 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Guangzhou, China, Dec. 2020, pp. 848–855. DOI: https://doi.org/10.1109/TrustCom50675.2020.00114

N. Moustafa, "A Systemic IoT-Fog-Cloud Architecture for Big-Data Analytics and Cyber Security Systems: A Review of Fog Computing." arXiv, 2019.

N. Moustafa, "New Generations of Internet of Things Datasets for Cybersecurity Applications based Machine Learning: TON_IoT Datasets." UNSW Sydney, 2019.

M. Templ, "Enhancing Precision in Large-Scale Data Analysis: An Innovative Robust Imputation Algorithm for Managing Outliers and Missing Values," Mathematics, vol. 11, no. 12, June 2023, Art. no. 2729. DOI: https://doi.org/10.3390/math11122729

L. D. Manocchio, S. Layeghy, M. Gallagher, and M. Portmann, "An empirical evaluation of preprocessing methods for machine learning based network intrusion detection systems," Engineering Applications of Artificial Intelligence, vol. 158, Oct. 2025, Art. no. 111289. DOI: https://doi.org/10.1016/j.engappai.2025.111289

W. Wu et al., "Sliding Window Optimized Information Entropy Analysis Method for Intrusion Detection on In-Vehicle Networks," IEEE Access, vol. 6, pp. 45233–45245, 2018. DOI: https://doi.org/10.1109/ACCESS.2018.2865169

A. A. Tawil, L. Almazaydeh, D. Qawasmeh, B. Qawasmeh, M. Alshinwan, and K. Elleithy, "Comparative Analysis of Machine Learning Algorithms for Email Phishing Detection Using TF-IDF, Word2Vec, and BERT," Computers, Materials & Continua, vol. 81, no. 2, pp. 3395–3412, 2024. DOI: https://doi.org/10.32604/cmc.2024.057279

I. M. Nasir et al., "Pearson Correlation-Based Feature Selection for Document Classification Using Balanced Training," Sensors, vol. 20, no. 23, Nov. 2020, Art. no. 6793. DOI: https://doi.org/10.3390/s20236793

A. Fatani, M. A. Elaziz, A. Dahou, M. A. A. Al-Qaness, and S. Lu, "IoT Intrusion Detection System Using Deep Learning and Enhanced Transient Search Optimization," IEEE Access, vol. 9, pp. 123448–123464, 2021. DOI: https://doi.org/10.1109/ACCESS.2021.3109081

K. Yang et al., "NIDS-CNNRF integrating CNN and random forest for efficient network intrusion detection model," Internet of Things, vol. 32, July 2025, Art. no. 101607. DOI: https://doi.org/10.1016/j.iot.2025.101607

B. Alhijawi, S. Fraihat, and A. Awajan, "Multi-factor ranking method for trading-off accuracy, diversity, novelty, and coverage of recommender systems," International Journal of Information Technology, vol. 15, no. 3, pp. 1427–1433, Mar. 2023. DOI: https://doi.org/10.1007/s41870-023-01158-1

"A Realistic Cyber Defense Dataset (CSE-CIC-IDS2018)," Registry of Open Data on AWS, [Online]. Available: https://registry.opendata.aws/cse-cic-ids2018/

"The TON_IoT Datasets," UNSW Canberra, [Online]. Available: available: https://research.unsw.edu.au/projects/toniot-datasets.