usfAD based effective unknown attack detection focused IDS framework

• Published in: Scientific reports Vol. 14; no. 1; pp. 29103 - 25
• Main Authors: Uddin, Md. Ashraf, Aryal, Sunil, Bouadjenek, Mohamed Reda, Al-Hawawreh, Muna, Talukder, Md. Alamin
• Format: Journal Article
• Language: English
• Published: London Nature Publishing Group UK 24.11.2024; Nature Publishing Group; Nature Portfolio
• Subjects: 639/705/117; 639/705/258; Algorithms; Anomaly detection; Classification; Datasets; Humanities and Social Sciences; Internet of Things; Intrusion detection system; Intrusion detection systems; IoT; Learning algorithms; Machine learning; multidisciplinary; Network traffic; One class classification; Science; Science (multidisciplinary); Zero day attacks; Zero day attacks; Intrusion detection system; Network traffic; Anomaly detection; One class classification; IoT
• ISSN: 2045-2322; 2045-2322
• DOI: 10.1038/s41598-024-80021-0

The rapid expansion of varied network systems, including the Internet of Things (IoT) and the Industrial Internet of Things (IIoT), has led to an increasing range of cyber threats. Ensuring robust protection against these threats necessitates the implementation of an effective Intrusion Detection System (IDS). For more than a decade, researchers have delved into supervised machine learning techniques to develop IDS to classify normal and attack traffic. However, building effective IDS models using supervised learning requires a substantial number of benign and attack samples. To collect a sufficient number of attack samples from real-life scenarios is not possible since cyber attacks occur occasionally. Further, IDS trained and tested on known datasets fails in detecting zero-day or unknown attacks due to the swift evolution of attack patterns. To address this challenge, we put forth two strategies for semi-supervised learning-based IDS where training samples of attacks are not required: (1) training a supervised machine learning model using randomly and uniformly dispersed synthetic attack samples; (2) building a One Class Classification (OCC) model that is trained exclusively on benign network traffic. We have implemented both approaches and compared their performances using 10 recent benchmark IDS datasets. Our findings demonstrate that the OCC model based on the state-of-art anomaly detection technique called usfAD significantly outperforms conventional supervised classification and other OCC-based techniques when trained and tested considering real-life scenarios, particularly to detect previously unseen attacks.