Data Discretization and Decision Boundary Data Point Analysis for Unknown Attack Detection

Abstract

Researchers have continuously sought effective ways to immediately detect unknown (zero-day) cyberattacks. Most current methods rely on pattern-recognition to identify known threats when they appear; however, some newer capabilities use machine-learning (ML) anomaly detection tools that involve training a model based on normal network data, so the outliers can be identified and scrutinized in case they represent a new attack. Various deep-learning methods have been attempted for the latter, but training for unknown features and new events is problematic with machine learning (ML), owing to the need to train for the unknown, which actually increases the risk of false positives. Moreover, attacks developed using adversarial learning techniques can quickly outsmart such algorithms by hiding the attack in the normal distribution. To overcome these problems, this study applies data discretization and decision-boundary point analyses to scrutinize patterns near the thresholds of uncertainty. A novel discretization method is used to effectively train our model for the fuzzy c-means feature analysis of data points at the decision boundary, through which adversarial features are detected and classified based upon their entropy. Through this, it was possible to identify incorrectly detected attack data distributed near the model’s decision boundary. The National Security Laboratory’s Knowledge Discovery Dataset, which is commonly used to evaluate ML intrusion detection systems, is used to evaluate the proposed method. The results show that our model successfully identifies attacks at the decision boundary as desired and that its performance can be improved through classification. In addition, when classification was performed, it was confirmed that the accuracy performance of DoS attacks was improved by 5 to 7%, Probe by 7 to 10%, R2L by 4 to 7%, and U2R by 1 to 9%, compared to the existing model.