Unsupervised Machine Learning Techniques for Network Intrusion Detection on Modern Data

The rapid growth of the internet, connecting billions of people and businesses, brings with it an increased risk of misuse. Handling this misuse requires adaptive techniques detecting known as well as unknown, zero-day, attacks. The latter proved most challenging in recent studies, where supervised machine learning techniques excelled at detecting known attacks, but failed to recognize unknown patterns. Therefore, this paper focuses on anomaly-based detection of malicious behavior on the network by using flow-based features. Four unsupervised methods are evaluated of which two employ a self-supervised learning approach. A realistic modern dataset, CIC-IDS-2017, containing multiple different attack types is used to evaluate the proposed models in terms of classification performance and computational complexity. The results show that an autoencoder, obtained from the field of deep-learning, yields the highest area under the Receiver Operating Characteristics (AUROC) of 0.978 while maintaining an acceptable computational complexity, followed by one-class support vector machine, isolation forest and principal components analysis.