Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AOC-IDS: Autonomous Online Framework with Contrastive Learning for Intrusion Detection

Xinchen Zhang, Running Zhao, Zhihan Jiang, Zhicong Sun, Yulong Ding, Edith C. H. Ngai, Shuang-Hua Yang

TL;DR

This paper tackles the need for adaptive intrusion detection in IoT environments where normal behavior and attack strategies evolve over time. It introduces AOC-IDS, an autonomous online IDS that combines an anomaly-detection module (ADM) based on an Autoencoder with a Cluster Repelling Contrastive (CRC) loss and a labor-free online learning framework that generates pseudo-labels for continual updates. Key contributions include the CRC loss design that leverages both encoder and decoder representations, a Gaussian-distribution–based autonomous decision mechanism, and robustness enhancements to mitigate mislabeled data during online updates. The approach is validated on NSL-KDD and UNSW-NB15, showing state-of-the-art accuracy and strong zero-day attack detection, with ablations confirming the importance of each component. The work demonstrates practical impact by enabling continuous, label-efficient adaptation for IoT IDS, and the authors provide public code for reproducibility.

Abstract

The rapid expansion of the Internet of Things (IoT) has raised increasing concern about targeted cyber attacks. Previous research primarily focused on static Intrusion Detection Systems (IDSs), which employ offline training to safeguard IoT systems. However, such static IDSs struggle with real-world scenarios where IoT system behaviors and attack strategies can undergo rapid evolution, necessitating dynamic and adaptable IDSs. In response to this challenge, we propose AOC-IDS, a novel online IDS that features an autonomous anomaly detection module (ADM) and a labor-free online framework for continual adaptation. In order to enhance data comprehension, the ADM employs an Autoencoder (AE) with a tailored Cluster Repelling Contrastive (CRC) loss function to generate distinctive representation from limited or incrementally incoming data in the online setting. Moreover, to reduce the burden of manual labeling, our online framework leverages pseudo-labels automatically generated from the decision-making process in the ADM to facilitate periodic updates of the ADM. The elimination of human intervention for labeling and decision-making boosts the system's compatibility and adaptability in the online setting to remain synchronized with dynamic environments. Experimental validation using the NSL-KDD and UNSW-NB15 datasets demonstrates the superior performance and adaptability of AOC-IDS, surpassing the state-of-the-art solutions. The code is released at https://github.com/xinchen930/AOC-IDS.

AOC-IDS: Autonomous Online Framework with Contrastive Learning for Intrusion Detection

TL;DR

This paper tackles the need for adaptive intrusion detection in IoT environments where normal behavior and attack strategies evolve over time. It introduces AOC-IDS, an autonomous online IDS that combines an anomaly-detection module (ADM) based on an Autoencoder with a Cluster Repelling Contrastive (CRC) loss and a labor-free online learning framework that generates pseudo-labels for continual updates. Key contributions include the CRC loss design that leverages both encoder and decoder representations, a Gaussian-distribution–based autonomous decision mechanism, and robustness enhancements to mitigate mislabeled data during online updates. The approach is validated on NSL-KDD and UNSW-NB15, showing state-of-the-art accuracy and strong zero-day attack detection, with ablations confirming the importance of each component. The work demonstrates practical impact by enabling continuous, label-efficient adaptation for IoT IDS, and the authors provide public code for reproducibility.

Abstract

The rapid expansion of the Internet of Things (IoT) has raised increasing concern about targeted cyber attacks. Previous research primarily focused on static Intrusion Detection Systems (IDSs), which employ offline training to safeguard IoT systems. However, such static IDSs struggle with real-world scenarios where IoT system behaviors and attack strategies can undergo rapid evolution, necessitating dynamic and adaptable IDSs. In response to this challenge, we propose AOC-IDS, a novel online IDS that features an autonomous anomaly detection module (ADM) and a labor-free online framework for continual adaptation. In order to enhance data comprehension, the ADM employs an Autoencoder (AE) with a tailored Cluster Repelling Contrastive (CRC) loss function to generate distinctive representation from limited or incrementally incoming data in the online setting. Moreover, to reduce the burden of manual labeling, our online framework leverages pseudo-labels automatically generated from the decision-making process in the ADM to facilitate periodic updates of the ADM. The elimination of human intervention for labeling and decision-making boosts the system's compatibility and adaptability in the online setting to remain synchronized with dynamic environments. Experimental validation using the NSL-KDD and UNSW-NB15 datasets demonstrates the superior performance and adaptability of AOC-IDS, surpassing the state-of-the-art solutions. The code is released at https://github.com/xinchen930/AOC-IDS.
Paper Structure (25 sections, 6 equations, 5 figures, 4 tables, 1 algorithm)

This paper contains 25 sections, 6 equations, 5 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. System Overview
  3. Anomaly Detection Module
  4. Online Framework
  5. Our Intrusion Detection System
  6. Anomaly Detection Module
  7. Incorporating Online Learning
  8. Experiments
  9. Dataset Preparation and Experiment Settings
  10. Datasets
  11. Baselines
  12. Experiment Settings
  13. Performance of AOC-IDS
  14. Overall Performance
  15. Detection Rate for Zero-day Attacks
  16. ...and 10 more sections

Figures (5)

  • Figure 1: System overview of AOC-IDS. In the proposed system, the ADM undergoes adaptation within the online framework. The online framework consists of two steps: pseudo-label generation and system adaptation. The ADM extracts the feature of an input using an AE and the extracted feature is labeled according to the Gaussian fit result.
  • Figure 2: Inference process of the proposed ADM to label an input.
  • Figure 3: Difference between InfoNCE loss and CRC loss in intrusion detection.
  • Figure 4: Timeline of the proposed online framework.
  • Figure 5: Detection rates of zero-day (unseen) attacks for ours (AOC-IDS) and comparative methods. The detection rate for previously seen attacks is provided in brackets for reference. Numbers in red and black represent detection rates for seen and unseen attacks, respectively.