UNAD+: An Explainable Hybrid Framework for Unknown Network Attack Detection

TL;DR

UNAD+ is an explainable hybrid framework that improves unknown network attack detection by combining unsupervised ensemble methods with supervised refinement and explainability, achieving high accuracy and low false positives.

Contribution

It introduces UNAD+, an enhanced detection framework that integrates unsupervised and supervised techniques with explainability for better unknown attack detection.

Findings

Achieved F1-scores above 98% on benchmark datasets.

Reduced false positive rates significantly.

Enhanced transparency with integrated explainability.

Abstract

The detection of previously unseen network attacks remains a major challenge for intrusion detection systems. Although supervised learning methods often perform well on known attack classes, they are limited when new attack types are not represented in the training data. Unsupervised methods are more suitable for detecting zero-day attacks, as they do not require labelled attack samples, but they often suffer from high false positive rates, which limits their real-world usefulness. This paper presents UNAD+, an enhanced framework for unknown network attack detection derived from the previously proposed Unknown Network Attack Detector (UNAD). UNAD+ combines a benign-only unsupervised ensemble with Weighted Majority Voting (WMV), a supervised refinement stage trained on pseudo-labelled detections, and a post hoc explainability layer that provides both local and global explanations. The framework was evaluated on the CICIDS2017 and NSL-KDD benchmark datasets. The results show that UNAD+ improves on the original UNAD framework, achieving F1-scores above 98% across the benchmark datasets while significantly reducing false positives and enhancing transparency and deployment suitability through integrated explainability.