siForest: Detecting Network Anomalies with Set-Structured Isolation Forest

TL;DR

siForest introduces a novel set-structured extension of the Isolation Forest algorithm, enhancing anomaly detection in complex network traffic data by treating multiple scans as cohesive units, thereby improving detection performance.

Contribution

The paper proposes siForest, a new set-partitioned extension of Isolation Forest tailored for set-structured network data, addressing challenges in analyzing multidimensional, complex datasets.

Findings

siForest can outperform traditional methods on synthetic network scan datasets.

The method effectively detects anomalies in multidimensional, set-structured network data.

Experimental results show potential for improved network anomaly detection.

Abstract

As cyber threats continue to evolve in sophistication and scale, the ability to detect anomalous network behavior has become critical for maintaining robust cybersecurity defenses. Modern cybersecurity systems face the overwhelming challenge of analyzing billions of daily network interactions to identify potential threats, making efficient and accurate anomaly detection algorithms crucial for network defense. This paper investigates the use of variations of the Isolation Forest (iForest) machine learning algorithm for detecting anomalies in internet scan data. In particular, it presents the Set-Partitioned Isolation Forest (siForest), a novel extension of the iForest method designed to detect anomalies in set-structured data. By treating instances such as sets of multiple network scans with the same IP address as cohesive units, siForest effectively addresses some challenges of analyzing complex, multidimensional datasets. Extensive experiments on synthetic datasets simulating diverse anomaly scenarios in network traffic demonstrate that siForest has the potential to outperform traditional approaches on some types of internet scan data.