A Novel Contrastive Loss for Zero-Day Network Intrusion Detection
Jack Wilkie, Hanan Hindy, Craig Michie, Christos Tachtatzis, James Irvine, Robert Atkinson
TL;DR
The paper tackles zero-day network intrusion detection by reframing the problem with a contrastive loss that models benign network traffic as a von Mises–Fisher distribution in an embedded space. The core CLAD framework enables robust anomaly detection by learning only the benign distribution while still leveraging malicious samples for normalization, and CLOSR extends this approach to open-set recognition with multiclass capability. Empirical results on Lycos2017 show consistent gains over anomaly detectors, supervised classifiers, and OSR baselines in both known and zero-day scenarios, with OpenAUC improvements demonstrated for CLOSR. The work offers a principled, probabilistic embedding scheme that improves generalization to unseen attacks and presents practical guidance on deployment and limitations, including scalability with class count for CLOSR.
Abstract
Machine learning has achieved state-of-the-art results in network intrusion detection; however, its performance significantly degrades when confronted by a new attack class -- a zero-day attack. In simple terms, classical machine learning-based approaches are adept at identifying attack classes on which they have been previously trained, but struggle with those not included in their training data. One approach to addressing this shortcoming is to utilise anomaly detectors which train exclusively on benign data with the goal of generalising to all attack classes -- both known and zero-day. However, this comes at the expense of a prohibitively high false positive rate. This work proposes a novel contrastive loss function which is able to maintain the advantages of other contrastive learning-based approaches (robustness to imbalanced data) but can also generalise to zero-day attacks. Unlike anomaly detectors, this model learns the distributions of benign traffic using both benign and known malign samples, i.e. other well-known attack classes (not including the zero-day class), and consequently, achieves significant performance improvements. The proposed approach is experimentally verified on the Lycos2017 dataset where it achieves an AUROC improvement of .000065 and .060883 over previous models in known and zero-day attack detection, respectively. Finally, the proposed method is extended to open-set recognition achieving OpenAUC improvements of .170883 over existing approaches.
