Intrusion detection ML fails live lab testing

High validation accuracy in security ML is often a mirage masking fatal class imbalance issues. Dataset imbalance led to a model biased toward malicious predictions, rendering it ineffective for real-world deployment. Transitioning from packet-level features to NetFlow-style aggregations is critical for operational scalability and noise reduction. Supervised models like LightGBM with imbalance handling or unsupervised Isolation Forests offer more reliable paths for network anomaly detection. Evaluation must shift from Accuracy to F1-Score and Precision-Recall to manage the high operational cost of false positives in security monitoring.