Unsupervised Algorithms to Detect Zero-Day Attacks: Strategy and Application

Unsupervised Algorithms to Detect Zero-Day Attacks: Strategy and Application

In the last decade, researchers, practitioners and companies struggled for devising mechanisms to detect cyber-security threats. Among others, those efforts originated rule-based, signature-based or supervised Machine Learning (ML) algorithms that were proven effective for detecting those intrusions...

Full description

Bibliographic Details
Main Authors: Tommaso Zoppi, Andrea Ceccarelli, Andrea Bondavalli
Format: Article
Language:English
Published: IEEE 2021-01-01
Series:IEEE Access
Subjects:
Zero-day attacks
intrusion detection
machine learning
anomaly detection
RELOAD
security
Online Access:https://ieeexplore.ieee.org/document/9461213/
id doaj-188c99490aa24d6181dce34206a3b97b
record_format Article
spelling doaj-188c99490aa24d6181dce34206a3b97b2021-06-29T23:00:28ZengIEEEIEEE Access2169-35362021-01-019906039061510.1109/ACCESS.2021.30909579461213Unsupervised Algorithms to Detect Zero-Day Attacks: Strategy and ApplicationTommaso Zoppi0https://orcid.org/0000-0001-9820-6047Andrea Ceccarelli1https://orcid.org/0000-0002-2291-2428Andrea Bondavalli2https://orcid.org/0000-0001-7366-6530Department of Mathematics and Informatics, University of Florence, Florence, ItalyDepartment of Mathematics and Informatics, University of Florence, Florence, ItalyDepartment of Mathematics and Informatics, University of Florence, Florence, ItalyIn the last decade, researchers, practitioners and companies struggled for devising mechanisms to detect cyber-security threats. Among others, those efforts originated rule-based, signature-based or supervised Machine Learning (ML) algorithms that were proven effective for detecting those intrusions that have already been encountered and characterized. Instead, new unknown threats, often referred to as zero-day attacks or zero-days, likely go undetected as they are often misclassified by those techniques. In recent years, unsupervised anomaly detection algorithms showed potential to detect zero-days. However, dedicated support for quantitative analyses of unsupervised anomaly detection algorithms is still scarce and often does not promote meta-learning, which has potential to improve classification performance. To such extent, this paper introduces the problem of zero-days and reviews unsupervised algorithms for their detection. Then, the paper applies a question-answer approach to identify typical issues in conducting quantitative analyses for zero-days detection, and shows how to setup and exercise unsupervised algorithms with appropriate tooling. Using a very recent attack dataset, we debate on i) the impact of features on the detection performance of unsupervised algorithms, ii) the relevant metrics to evaluate intrusion detectors, iii) means to compare multiple unsupervised algorithms, iv) the application of meta-learning to reduce misclassifications. Ultimately, v) we measure detection performance of unsupervised anomaly detection algorithms with respect to zero-days. Overall, the paper exemplifies how to practically orchestrate and apply an appropriate methodology, process and tool, providing even non-experts with means to select appropriate strategies to deal with zero-days.https://ieeexplore.ieee.org/document/9461213/Zero-day attacksintrusion detectionmachine learninganomaly detectionRELOADsecurity
collection DOAJ
language English
format Article
sources DOAJ
author Tommaso Zoppi
Andrea Ceccarelli
Andrea Bondavalli
spellingShingle Tommaso Zoppi
Andrea Ceccarelli
Andrea Bondavalli
Unsupervised Algorithms to Detect Zero-Day Attacks: Strategy and Application
IEEE Access
Zero-day attacks
intrusion detection
machine learning
anomaly detection
RELOAD
security
author_facet Tommaso Zoppi
Andrea Ceccarelli
Andrea Bondavalli
author_sort Tommaso Zoppi
title Unsupervised Algorithms to Detect Zero-Day Attacks: Strategy and Application
title_short Unsupervised Algorithms to Detect Zero-Day Attacks: Strategy and Application
title_full Unsupervised Algorithms to Detect Zero-Day Attacks: Strategy and Application
title_fullStr Unsupervised Algorithms to Detect Zero-Day Attacks: Strategy and Application
title_full_unstemmed Unsupervised Algorithms to Detect Zero-Day Attacks: Strategy and Application
title_sort unsupervised algorithms to detect zero-day attacks: strategy and application
publisher IEEE
series IEEE Access
issn 2169-3536
publishDate 2021-01-01
description In the last decade, researchers, practitioners and companies struggled for devising mechanisms to detect cyber-security threats. Among others, those efforts originated rule-based, signature-based or supervised Machine Learning (ML) algorithms that were proven effective for detecting those intrusions that have already been encountered and characterized. Instead, new unknown threats, often referred to as zero-day attacks or zero-days, likely go undetected as they are often misclassified by those techniques. In recent years, unsupervised anomaly detection algorithms showed potential to detect zero-days. However, dedicated support for quantitative analyses of unsupervised anomaly detection algorithms is still scarce and often does not promote meta-learning, which has potential to improve classification performance. To such extent, this paper introduces the problem of zero-days and reviews unsupervised algorithms for their detection. Then, the paper applies a question-answer approach to identify typical issues in conducting quantitative analyses for zero-days detection, and shows how to setup and exercise unsupervised algorithms with appropriate tooling. Using a very recent attack dataset, we debate on i) the impact of features on the detection performance of unsupervised algorithms, ii) the relevant metrics to evaluate intrusion detectors, iii) means to compare multiple unsupervised algorithms, iv) the application of meta-learning to reduce misclassifications. Ultimately, v) we measure detection performance of unsupervised anomaly detection algorithms with respect to zero-days. Overall, the paper exemplifies how to practically orchestrate and apply an appropriate methodology, process and tool, providing even non-experts with means to select appropriate strategies to deal with zero-days.
topic Zero-day attacks
intrusion detection
machine learning
anomaly detection
RELOAD
security
url https://ieeexplore.ieee.org/document/9461213/
work_keys_str_mv AT tommasozoppi unsupervisedalgorithmstodetectzerodayattacksstrategyandapplication
AT andreaceccarelli unsupervisedalgorithmstodetectzerodayattacksstrategyandapplication
AT andreabondavalli unsupervisedalgorithmstodetectzerodayattacksstrategyandapplication
_version_ 1721354176609386496

Similar Items