Abstract—Advanced Persistent Threats (APTs) demand intrusion detection systems that are not only highly accurate but also operationally transparent and aligned with analyst workflows. This paper presents Decision Tree–Based Intrusion Detection System (DTB-IDS), a decision tree–based intrusion detection system that performs multi-level classification of network flows into (i) benign versus malicious traffic, (ii) MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) tactics, and (iii) primary ATT&CK techniques. DTB-IDS is trained on a behaviorally enriched dataset obtained by carefully merging and harmonizing UWF-ZeekData24 and NF-UQ-NIDS-v2, yielding 628,415 Zeek-style flow records mapped to 13 tactics and 24 techniques. Using 33 engineered, semantically meaningful flow features and 3 specialized Classification and Regression Tree (CART) trees, DTB-IDS achieves strong performance on the merged dataset, with 99.2% binary accuracy, 99.1% tactic F1, and 99.4% technique micro-F1, together with a very low Hamming loss (≈10⁻³). Cross-dataset validation on Canadian Institute for Cybersecurity Intrusion Detection Systems 2017 (CICIDS 2017) confirms the robustness of the learned decision boundaries, with 99.9% binary accuracy and 99.2% tactic F1 without retraining. Temporal and community-based splits further demonstrate that performance is sustained under stricter generalization regimes. Compared with Random Forest, Support Vector Machine (SVM), Deep Neural Networks (DNNs), eXtreme Gradient Boosting (XGBoost), Light Gradient Boosting Machine (LightGBM), and Explainable Boosting Machine baselines, validated by McNemar’s and paired t-tests. Feature-importance analysis and rule-path inspection show that a small set of interpretable, ATT&CK-aligned features and decision paths account for most predictions, making DTB-IDS a practical and transparent APT detection solution for security operations centers.
 
Keywords—Advanced Persistent Threat (APT), Intrusion Detection System (IDS), decision tree, MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), interpretability, security operations


Copyright © 2026 by the authors. This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited (CC BY 4.0).