Abstract
The rapid growth of the internet, connecting billions of people and businesses, brings with it an increased risk of misuse. Handling this misuse requires adaptive techniques detecting known as well as unknown, zero-day, attacks. The latter proved most challenging in recent studies, where supervised machine learning techniques excelled at detecting known attacks, but failed to recognize unknown patterns. Therefore, this paper focuses on anomaly-based detection of malicious behavior on the network by using flow-based features. Four unsupervised methods are evaluated of which two employ a self-supervised learning approach. A realistic modern dataset, CIC-IDS-2017, containing multiple different attack types is used to evaluate the proposed models in terms of classification performance and computational complexity. The results show that an autoencoder, obtained from the field of deep-learning, yields the highest area under the Receiver Operating Characteristics (AUROC) of 0.978 while maintaining an acceptable computational complexity, followed by one-class support vector machine, isolation forest and principal components analysis.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
