Unsupervised Anomaly Detectors to Detect Intrusions in the Current Threat Landscape

by   Tommaso Zoppi, et al.

Anomaly detection aims at identifying unexpected fluctuations in the expected behavior of a given system. It is acknowledged as a reliable answer to the identification of zero-day attacks to such extent, several ML algorithms that suit for binary classification have been proposed throughout years. However, the experimental comparison of a wide pool of unsupervised algorithms for anomaly-based intrusion detection against a comprehensive set of attacks datasets was not investigated yet. To fill such gap, we exercise seventeen unsupervised anomaly detection algorithms on eleven attack datasets. Results allow elaborating on a wide range of arguments, from the behavior of the individual algorithm to the suitability of the datasets to anomaly detection. We conclude that algorithms as Isolation Forests, One-Class Support Vector Machines and Self-Organizing Maps are more effective than their counterparts for intrusion detection, while clustering algorithms represent a good alternative due to their low computational complexity. Further, we detail how attacks with unstable, distributed or non-repeatable behavior as Fuzzing, Worms and Botnets are more difficult to detect. Ultimately, we digress on capabilities of algorithms in detecting anomalies generated by a wide pool of unknown attacks, showing that achieved metric scores do not vary with respect to identifying single attacks.


page 12

page 15

page 16

page 18

page 19


Anomaly detection in wide area network mesh using two machine learning anomaly detection algorithms

Anomaly detection is the practice of identifying items or events that do...

Unsupervised Face Morphing Attack Detection via Self-paced Anomaly Detection

The supervised-learning-based morphing attack detection (MAD) solutions ...

Use Dimensionality Reduction and SVM Methods to Increase the Penetration Rate of Computer Networks

In the world today computer networks have a very important position and ...

Prepare for Trouble and Make it Double. Supervised and Unsupervised Stacking for AnomalyBased Intrusion Detection

In the last decades, researchers, practitioners and companies struggled ...

Exploring Information Centrality for Intrusion Detection in Large Networks

Modern networked systems are constantly under threat from systemic attac...

Performance Analysis of a Foreground Segmentation Neural Network Model

In recent years the interest in segmentation has been growing, being use...

A Machine-Synesthetic Approach To DDoS Network Attack Detection

In the authors' opinion, anomaly detection systems, or ADS, seem to be t...