What is it about?
The experimental comparison of a wide pool of unsupervised algorithms for anomaly-based intrusion detection against a comprehensive set of attacks datasets was not investigated yet. To fill such gap, we exercise seventeen unsupervised anomaly detection algorithms on eleven attack datasets. Results allow elaborating on a wide range of arguments, from the behavior of the individual algorithm to the suitability of the datasets to anomaly detection. We conclude that algorithms as Isolation Forests, One-Class Support Vector Machines and Self-Organizing Maps are more effective than their counterparts for intrusion detection, while clustering algorithms represent a good alternative due to their low computational complexity. Further, we detail how attacks with unstable, distributed or non-repeatable behavior as Fuzzing, Worms and Botnets are more difficult to detect.
Featured Image
Photo by Franck on Unsplash
Why is it important?
Our findings show detection capabilities of unsupervised anomaly detectors with respect to several attacks in the current threat landscape
Perspectives
This may constitute a baseline to apply unsupervised anomaly detection algorithms to detect intrusions as it uses many algorithms on many datasets, all with publicly available data / tooling.
Tommaso Zoppi
Universita degli Studi di Firenze
Read the Original
This page is a summary of: Unsupervised Anomaly Detectors to Detect Intrusions in the Current Threat Landscape, ACM/IMS Transactions on Data Science, April 2021, ACM (Association for Computing Machinery),
DOI: 10.1145/3441140.
You can read the full text:
Contributors
The following have contributed to this page
