A Novel Contrastive Loss for Zero-Day Network Intrusion Detection

TL;DR

This paper introduces a novel contrastive loss function that enhances zero-day network intrusion detection by learning benign and known attack distributions, significantly improving detection performance and reducing false positives.

Contribution

It proposes a new contrastive loss approach that generalizes to zero-day attacks by learning from benign and known attack data, outperforming existing methods.

Findings

Achieves AUROC improvements of .000065 and .060883 in known and zero-day attack detection.

Extends to open-set recognition with OpenAUC gains of .170883.

Demonstrates effectiveness on the Lycos2017 dataset.

Abstract

Machine learning has achieved state-of-the-art results in network intrusion detection; however, its performance significantly degrades when confronted by a new attack class -- a zero-day attack. In simple terms, classical machine learning-based approaches are adept at identifying attack classes on which they have been previously trained, but struggle with those not included in their training data. One approach to addressing this shortcoming is to utilise anomaly detectors which train exclusively on benign data with the goal of generalising to all attack classes -- both known and zero-day. However, this comes at the expense of a prohibitively high false positive rate. This work proposes a novel contrastive loss function which is able to maintain the advantages of other contrastive learning-based approaches (robustness to imbalanced data) but can also generalise to zero-day attacks. Unlike anomaly detectors, this model learns the distributions of benign traffic using both benign and known malign samples, i.e. other well-known attack classes (not including the zero-day class), and consequently, achieves significant performance improvements. The proposed approach is experimentally verified on the Lycos2017 dataset where it achieves an AUROC improvement of .000065 and .060883 over previous models in known and zero-day attack detection, respectively. Finally, the proposed method is extended to open-set recognition achieving OpenAUC improvements of .170883 over existing approaches.