Table of Contents
Fetching ...

A Novel Contrastive Loss for Zero-Day Network Intrusion Detection

Jack Wilkie, Hanan Hindy, Craig Michie, Christos Tachtatzis, James Irvine, Robert Atkinson

TL;DR

The paper tackles zero-day network intrusion detection by reframing the problem with a contrastive loss that models benign network traffic as a von Mises–Fisher distribution in an embedded space. The core CLAD framework enables robust anomaly detection by learning only the benign distribution while still leveraging malicious samples for normalization, and CLOSR extends this approach to open-set recognition with multiclass capability. Empirical results on Lycos2017 show consistent gains over anomaly detectors, supervised classifiers, and OSR baselines in both known and zero-day scenarios, with OpenAUC improvements demonstrated for CLOSR. The work offers a principled, probabilistic embedding scheme that improves generalization to unseen attacks and presents practical guidance on deployment and limitations, including scalability with class count for CLOSR.

Abstract

Machine learning has achieved state-of-the-art results in network intrusion detection; however, its performance significantly degrades when confronted by a new attack class -- a zero-day attack. In simple terms, classical machine learning-based approaches are adept at identifying attack classes on which they have been previously trained, but struggle with those not included in their training data. One approach to addressing this shortcoming is to utilise anomaly detectors which train exclusively on benign data with the goal of generalising to all attack classes -- both known and zero-day. However, this comes at the expense of a prohibitively high false positive rate. This work proposes a novel contrastive loss function which is able to maintain the advantages of other contrastive learning-based approaches (robustness to imbalanced data) but can also generalise to zero-day attacks. Unlike anomaly detectors, this model learns the distributions of benign traffic using both benign and known malign samples, i.e. other well-known attack classes (not including the zero-day class), and consequently, achieves significant performance improvements. The proposed approach is experimentally verified on the Lycos2017 dataset where it achieves an AUROC improvement of .000065 and .060883 over previous models in known and zero-day attack detection, respectively. Finally, the proposed method is extended to open-set recognition achieving OpenAUC improvements of .170883 over existing approaches.

A Novel Contrastive Loss for Zero-Day Network Intrusion Detection

TL;DR

The paper tackles zero-day network intrusion detection by reframing the problem with a contrastive loss that models benign network traffic as a von Mises–Fisher distribution in an embedded space. The core CLAD framework enables robust anomaly detection by learning only the benign distribution while still leveraging malicious samples for normalization, and CLOSR extends this approach to open-set recognition with multiclass capability. Empirical results on Lycos2017 show consistent gains over anomaly detectors, supervised classifiers, and OSR baselines in both known and zero-day scenarios, with OpenAUC improvements demonstrated for CLOSR. The work offers a principled, probabilistic embedding scheme that improves generalization to unseen attacks and presents practical guidance on deployment and limitations, including scalability with class count for CLOSR.

Abstract

Machine learning has achieved state-of-the-art results in network intrusion detection; however, its performance significantly degrades when confronted by a new attack class -- a zero-day attack. In simple terms, classical machine learning-based approaches are adept at identifying attack classes on which they have been previously trained, but struggle with those not included in their training data. One approach to addressing this shortcoming is to utilise anomaly detectors which train exclusively on benign data with the goal of generalising to all attack classes -- both known and zero-day. However, this comes at the expense of a prohibitively high false positive rate. This work proposes a novel contrastive loss function which is able to maintain the advantages of other contrastive learning-based approaches (robustness to imbalanced data) but can also generalise to zero-day attacks. Unlike anomaly detectors, this model learns the distributions of benign traffic using both benign and known malign samples, i.e. other well-known attack classes (not including the zero-day class), and consequently, achieves significant performance improvements. The proposed approach is experimentally verified on the Lycos2017 dataset where it achieves an AUROC improvement of .000065 and .060883 over previous models in known and zero-day attack detection, respectively. Finally, the proposed method is extended to open-set recognition achieving OpenAUC improvements of .170883 over existing approaches.
Paper Structure (24 sections, 17 equations, 5 figures, 7 tables)

This paper contains 24 sections, 17 equations, 5 figures, 7 tables.

Figures (5)

  • Figure 1: Wholistic overview of the proposed approach. Top: The CLAD loss function learns the distribution of benign traffic as an embedded vMF distribution. During inference the cosine distance between test representations and the centroid of this distribution is used to identify anomalous traffic. Bottom: The CLOSR framework extends CLAD to OSR by modelling the distribution of each known traffic class as an independent vMF distribution in a class specific embedded subspace. Closed set can be inference can then be performed by identifying the distribution with the highest cosine similarity to the test embedding, while zero-day attacks manifest as orthogonal vectors. Here the vMF distributions have been flattened for illustrative purposes.
  • Figure 2: AUROC of CLAD as the margin hyperparameter is varied in the range $[0.1, 1]$, with (orange) and without (blue) the distance terms being squared.
  • Figure 3: T-SNE plots of the validation embeddings produced by left: the contrastive loss function and right: the CLAD loss function. Both loss functions produce distinct clusters for benign traffic (blue) and malicious traffic (red). The contrastive loss function embeddings have overlap between the clusters; while the CLAD loss function creates a clear separation between clusters.
  • Figure 4: Alignment analysis of the contrastive (blue) and CLAD (orange) loss functions when detecting known and zero-day attacks. Left: Balanced recall of the contrastive and CLAD loss functions amongst classes included in the training data when evaluated using a linear classification probe. Centre: Mean AUROC of the contrastive and CLAD loss functions when evaluated on zero-day using a linear probe. Right: Mean AUROC of the contrastive and CLAD loss functions throughout training when evaluated by measuring the distance between validation samples and the centroid of benign traffic.
  • Figure 5: Cumulative distribution function of the cosine distance between data points and the centroid of benign traffic when training a model using the CLAD and contrastive loss functions. Left: The contrastive loss function learns a representation in which malicious classes (red) are often closer to the centroid than benign samples (blue). Right: the CLAD loss function learns an embedded representation of the data in which benign samples (blue) appear close to the centroid, malicious samples (red) are far from the centroid, and zero-day attacks (orange) are orthogonal to the centroid.