Evaluation of Machine Learning Classifiers for Zero-Day Intrusion Detection -- An Analysis on CIC-AWS-2018 dataset

TL;DR

This study evaluates machine learning classifiers, especially decision trees, on CIC-AWS-2018 data for Zero-Day intrusion detection, showing high accuracy and suggesting simple models can be effective.

Contribution

It provides a comprehensive analysis of ML classifiers on CIC-AWS-2018 for Zero-Day attack detection, highlighting the potential of simple models like decision trees.

Findings

Decision tree classifier achieved up to 100% accuracy.

Simple models can effectively detect Zero-Day attacks.

Evaluation included real-world attack data and realistic traffic flows.

Abstract

Detecting Zero-Day intrusions has been the goal of Cybersecurity, especially intrusion detection for a long time. Machine learning is believed to be the promising methodology to solve that problem, numerous models have been proposed but a practical solution is still yet to come, mainly due to the limitation caused by the out-of-date open datasets available. In this paper, we take a deep inspection of the flow-based statistical data generated by CICFlowMeter, with six most popular machine learning classification models for Zero-Day attacks detection. The training dataset CIC-AWS-2018 Dataset contains fourteen types of intrusions, while the testing datasets contains eight different types of attacks. The six classification models are evaluated and cross validated on CIC-AWS-2018 Dataset for their accuracy in terms of false-positive rate, true-positive rate, and time overhead. Testing dataset, including eight novel (or Zero-Day) real-life attacks and benign traffic flows collected in real research production network are used to test the performance of the chosen decision tree classifier. Promising results are received with the accuracy as high as 100% and reasonable time overhead. We argue that with the statistical data collected from CICFlowMeter, simple machine learning models such as the decision tree classification could be able to take charge in detecting Zero-Day attacks.