Zero Day Threat Detection Using Metric Learning Autoencoders

TL;DR

This paper introduces an improved autoencoder-based method utilizing metric learning for zero-day threat detection, enhancing performance and interpretability in network traffic analysis across diverse datasets.

Contribution

It advances previous autoencoder approaches by integrating metric learning for better detection accuracy and interpretability of zero-day threats in network telemetry.

Findings

Enhanced detection performance over previous models

Improved interpretability through multiclass classification in latent space

Effective generalization to new network topologies

Abstract

The proliferation of zero-day threats (ZDTs) to companies' networks has been immensely costly and requires novel methods to scan traffic for malicious behavior at massive scale. The diverse nature of normal behavior along with the huge landscape of attack types makes deep learning methods an attractive option for their ability to capture highly-nonlinear behavior patterns. In this paper, the authors demonstrate an improvement upon a previously introduced methodology, which used a dual-autoencoder approach to identify ZDTs in network flow telemetry. In addition to the previously-introduced asset-level graph features, which help abstractly represent the role of a host in its network, this new model uses metric learning to train the second autoencoder on labeled attack data. This not only produces stronger performance, but it has the added advantage of improving the interpretability of the model by allowing for multiclass classification in the latent space. This can potentially save human threat hunters time when they investigate predicted ZDTs by showing them which known attack classes were nearby in the latent space. The models presented here are also trained and evaluated with two more datasets, and continue to show promising results even when generalizing to new network topologies.