Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Improving Intrusion Detection with Domain-Invariant Representation Learning in Latent Space

Padmaksha Roy, Tyler Cody, Himanshu Singhal, Kevin Choi, Ming Jin

TL;DR

This work tackles zero-day anomaly detection under domain shift by learning a domain-invariant latent representation $Z$ through a multi-task latent-space encoder-decoder framework (MTLS-RED). It combines classification, reconstruction, and a matrix-based mutual information regularization derived from the Principle of Relevant Information to decorrelate spurious domain-specific features, promoting invariance across domains. The model is trained on multiple source and cross-domain datasets with varying correlation structures, achieving notable improvements in average precision, recall, and AUC-ROC for unseen OOD classes. The approach offers practical significance for robust intrusion detection in real-world, heterogeneous environments, with a principled mechanism to balance information preservation and compression in the latent space.

Abstract

Zero-day anomaly detection is critical in industrial applications where novel, unforeseen threats can compromise system integrity and safety. Traditional detection systems often fail to identify these unseen anomalies due to their reliance on in-distribution data. Domain generalization addresses this gap by leveraging knowledge from multiple known domains to detect out-of-distribution events. In this work, we introduce a multi-task representation learning technique that fuses information across related domains into a unified latent space. By jointly optimizing classification, reconstruction, and mutual information regularization losses, our method learns a minimal(bottleneck), domain-invariant representation that discards spurious correlations. This latent space decorrelation enhances generalization, enabling the detection of anomalies in unseen domains. Our experimental results demonstrate significant improvements in zero-day or novel anomaly detection across diverse anomaly detection datasets.

Improving Intrusion Detection with Domain-Invariant Representation Learning in Latent Space

TL;DR

This work tackles zero-day anomaly detection under domain shift by learning a domain-invariant latent representation through a multi-task latent-space encoder-decoder framework (MTLS-RED). It combines classification, reconstruction, and a matrix-based mutual information regularization derived from the Principle of Relevant Information to decorrelate spurious domain-specific features, promoting invariance across domains. The model is trained on multiple source and cross-domain datasets with varying correlation structures, achieving notable improvements in average precision, recall, and AUC-ROC for unseen OOD classes. The approach offers practical significance for robust intrusion detection in real-world, heterogeneous environments, with a principled mechanism to balance information preservation and compression in the latent space.

Abstract

Zero-day anomaly detection is critical in industrial applications where novel, unforeseen threats can compromise system integrity and safety. Traditional detection systems often fail to identify these unseen anomalies due to their reliance on in-distribution data. Domain generalization addresses this gap by leveraging knowledge from multiple known domains to detect out-of-distribution events. In this work, we introduce a multi-task representation learning technique that fuses information across related domains into a unified latent space. By jointly optimizing classification, reconstruction, and mutual information regularization losses, our method learns a minimal(bottleneck), domain-invariant representation that discards spurious correlations. This latent space decorrelation enhances generalization, enabling the detection of anomalies in unseen domains. Our experimental results demonstrate significant improvements in zero-day or novel anomaly detection across diverse anomaly detection datasets.
Paper Structure (15 sections, 9 equations, 4 figures, 4 tables, 1 algorithm)

This paper contains 15 sections, 9 equations, 4 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Problem Formulation
  4. Mutual Invariance Regularization
  5. The Mutual Information Divergence
  6. The Multi-Task Learning Objective
  7. Experiments
  8. Dataset
  9. Baselines
  10. Training Strategy
  11. Selecting the cross-domains, source and OOD domains
  12. Hyperparameter Sensitivity
  13. Importance of kernel bandwidth
  14. Conclusion
  15. Joint Optimization and the Principle of Relevant Information Preservation (PRI)

Figures (4)

  • Figure 1: Training the Multi-task Latent Space Regularized Encoder-Decoder Model (MTLS-RED). During testing, the trained latent space is directly used to classify new samples.
  • Figure 2: Precision, recall, and accuracy plots for the rarest class (RARE, in blue), which has only 525 samples in the CIC-IDS dataset using training data from GOLDENEYE (source) and BOTNET (cross) domains. Figures (a) show precision, recall, and AUC over epochs without regularization on validation data; (b) apply MI = 0.01, reconstruction = 0.99; (c) apply MI = 0.99, reconstruction = 0.01, (d)use equal weights of 0.5. High MI regularization (case (c)) leads to over 10-20% improvement and stability across all metrics. Higher MI penalty helps in achieving better classification of the RARE class
  • Figure 3: From left to right, the plots show improved average AUC-ROC as datasets are combined and regularization is applied, enhancing generalization to unseen domains. We evaluate this using seven CIC-CSE-IDS attack datasets with equal benign samples, reporting results as (reconstruction weight, MI penalty, Average AUC on all datasets).
  • Figure 4: T-SNE projection of the latent space of without regularization case (bottom row) and MTL-RED (top row) for some of the attacks in CIC-IDS and CIC-IOMT/IOT: SOLARIS, RARE, DOS, DDOS, and RECONAISSANCE. Subfigures (a)--(e) correspond to MTL-RED, and (f)--(j) to no regularization case.